Splunk 查询以从 JSON 单元格获取字段
[英]Splunk query to get field from JSON cell
问题描述
The splunk query outputs a table where one of the column has these kind of json the part of the query that gives this output is details.ANALYSIS 
splunk 查询输出一个表,其中一个列具有此类 json 给出此 output 的查询部分是details.ANALYSIS 。分析
{"stepSuccess":false,"SR":false,"propertyMap":{"Url":"https://example.com","ErrCode":"401","transactionId":"7caf34342524-3d232133da","status":"API failing with error code 401"}}
I want to edit my splunk query so that instead of this json, I get only Url in this same column.我想编辑我的 splunk 查询,以便在同一列中只得到Url而不是这个 json。
Here is my splunk query I was using这是我正在使用的 splunk 查询
|dbxquery connection="AT" query="select service.req_id, service.out,details.ANALYSIS from servicerequest service,SERVICEREQUEST_D details where service.out like 'XYZ is%' and service.row_created > sysdate-1 and service.SERVICEREQUEST_ID = details.SERVICEREQUEST_ID and details.ANALYSIS_CLASS_NAME = 'GetProduction' " shortnames=0 maxrows=100000001
I tried using details.ANALYSIS.propertyMap.Url but it throws error.我尝试使用 details.ANALYSIS.propertyMap.Url 但它会引发错误。
1 个解决方案
解决方案1
1 2020-07-31 12:58:36
You can probably use spath to extract the fields from details.ANALYSIS您可能可以使用spath从 details.ANALYSIS 中提取字段
Try the following to extract all fields尝试以下提取所有字段
| | spath field="details.ANALYSIS" spath field="details.ANALYSIS"
Or this just for the url field you are after或者这仅适用于您所追求的 url 字段
| | spath field="details.ANALYSIS" path="propertyMap.Url" spath field="details.ANALYSIS" path="propertyMap.Url"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.