I am trying to read an attribute from a Splunk log that looks like this
context=context{version="1.1.2", id="123", userId=""}
I need to get count by version
My Splunk query :
index="$index" "$filterString" | spath input=context output=versionId path=version | stats count by versionId
The value of version is not being read correctly. Is the spath correct here?
spath is the right command, but it only works with valid JSON strings. The given string is considered invalid by jsonlint.com.
Here is a workaround that uses rex to extract the version ID.
index="$index" "$filterString"
| rex field=context "version=\\\"(?<versionId>[^\\\"]+)"
| stats count by versionId