I am trying to extract this userid
(which is part of applicationTags
) field in Splunk.
Can someone please help.
Json:
json
{ [-]
allocatedMB: -1
allocatedMemorySeconds: 1546332
allocatedVCores: -1
allocatedVcoreSeconds: 273
applicationId: application_1658075295053_0071
applicationTags: [ [-]
hive_20220718142121_632022dc-9399-4034-a45d-08042dfb4367
userid=rajani
]
attributes: { [-]
diagnostics: Session stats:submittedDAGs=1, successfulDAGs=1, failedDAGs=0, killedDAGs=0
}
endTime: 2022-07-18T14:23:52.384Z
mr2AppInformation: { [-]
}
name: HIVE-907b6fd3-aa12-4136-af66-9787fdec52c5
pool: xxx
progress: 100
runningContainers: -1
startTime: 2022-07-18T14:21:23.254Z
state: FINISHED
user: hive
}
CodePudding user response:
You can use the spath command of splunk:
... | spath output=myfield path=applicationTags{}.userid
More information and examples can be found in the official documentation: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath
CodePudding user response:
There are at least two approaches you can use
If your sourcetype's JSON is not being parsed properly by Splunk, this rex
will pull it for you:
| rex field=_raw "userid=(?<userid>\w )"
If it is being parsed properly, then you can probably get it by a variation on the theme of:
| rename applicationTags{}.userid as userid
To get a full listing of the fields Splunk knows about for this sourcetype, use fieldsummary
. Eg:
index=ndx sourcetype=srctp
| fieldsummary
| fields field values