Search code examples
splunksplunk-query

Assign Nested Value to Variable in Splunk

I have an event log in Splunk that looks like this:

{ 
  "event": { 
    "Id":"12345",
    "Name": "My Event",
    "Inputs": {
      "Param1":"some value",
      "Param2":"another value"
    },
    "Result": {
      "statusCode":"304"
    }
  }
}

I need to get the value of the statusCode from the Result to determine what kind of error I received. Currently, I'm using the following Splunk query:

index="myIndex"
sourcetype="*"
| spath=event
| fields
  _time
  Name
  Result.statusCode
| eval _status="tbd"
| eval _code=statusCode
| eval _code=case(statusCode>=200 AND statusCode<300, "OK", statusCode>=300 AND statusCode<400, "Redirected", statusCode>=400 AND statusCode<500, "User Error", statusCode>500, "Server Error")
| rename
  Name as RequestName
  _code as StatusCode
  _status as Status
| table
  _time
  RequestName
  Status
  StatusCode
  Result.statusCode

The above is a port of the actual query in an effort to isolate the issue. Still, the issue is when I run my query, I can see:

  • _time
  • RequestName
  • Status
  • Result.statusCode

Oddly, and the part that is confusing me is, I cannot see StatusCode. I need a variable to do additional processing which is why I have the eval _code statement. However, I'm not having any using Result.statusCode as a variable. What am I missing?

Solution

  • Avoid leading underscores in field ("variable") names as they are hidden by default. Some can only be used after assigning their values to another field.

    Also, creating a field and then renaming it is unnecessary unless the final field name will contain spaces or special characters.

    It looks like something is missing from the query since only the _time and Result.statusCode fields exist, but statusCode is used often. The case function will return null if statusCode does not exist. The Name field also doesn't exist so I don't understand how you can see RequestName.

    index="myIndex"
sourcetype="*"
| spath event
| fields
  _time
  Result.statusCode
| eval Status="tbd", statusCode='Result.statusCode'
| eval StatusCode=case(statusCode>=200 AND statusCode<300, "OK", 
                       statusCode>=300 AND statusCode<400, "Redirected", 
                       statusCode>=400 AND statusCode<500, "User Error", 
                       statusCode>500, "Server Error",
                       1==1, statusCode)
| rename
  Name as RequestName
| table
  _time
  RequestName
  Status
  StatusCode
  Result.statusCode