Thank you nice information. I am looking to change format of datetime field. Like in your example, in last time, you extracted timefield. I want this field without time zone information. Can we do field formating/conversion while using spath? Please reply
SPATH will extract the field as is...as there is no formatting option there but after the field extraction you can use fieldformat command to format teh field. docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Fieldformat
when you have structured data like json,xml you dont need the spath command as splunk inbuilt sourcetype is sufficient enough to extract fields...in certain scenarios where splunk is not able to extract field you can use spath to exttract fields from the structured data. for unstructured data any way you need to use regex for the field extraction.
Great explanation!! Thank you so much for the video. I have a question as well. Can we extract a particular value from JSON data by passing a keyvalue instead of particular index value?
Using SPATH we are doing that one only....but when it comes to JSON array and if you need to extract a specific field from an array element you need to use index value.
@@splunk_ml Thank you for the reply. In my scenario, index is not fixed. I only know the key-value and want to fetch that particular value from the JSON data so that only this value is shown in the column instead of all the value from JSON data (multi-value column).
Hi Sid...one doubt ..please help me...my data is looking like Mar 25 10:21:58 server-name apimanagrment[-]: { "name":"sai", "age":25....} On this data if I am using index=* | spath It's not extracting those name and age fields... Howerver if I use Index=* I extract pairdelim="," kvdelim=":" It is estracting fields properly... I don't want to use extract as I have much data and also it will extarcts all fields ...I want to use spath based on my requirement fileds.. But why that above spath it's not extracting anything?? Please guide me... however if I use spath on particular field it's working ... not working on raw data..
Undoubtedly one of the best video which I’ve seen
This has helped me so much in completing a project on time :) !!
Simply awesome.. thank you so much
Another very useful video. 😀
Thanks
Thank you nice information. I am looking to change format of datetime field. Like in your example, in last time, you extracted timefield. I want this field without time zone information.
Can we do field formating/conversion while using spath?
Please reply
SPATH will extract the field as is...as there is no formatting option there but after the field extraction you can use fieldformat command to format teh field.
docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Fieldformat
Very Nice Video. Thanks. Can you please elaborate on how to use spath with a structured and unstructured content?
when you have structured data like json,xml you dont need the spath command as splunk inbuilt sourcetype is sufficient enough to extract fields...in certain scenarios where splunk is not able to extract field you can use spath to exttract fields from the structured data.
for unstructured data any way you need to use regex for the field extraction.
I love your videos
Another great explanation. Thanks for the video. In addition, how do I align the multi-line XML into single line ?
Did you mean that you want to create multi line xml events ?
Great explanation!! Thank you so much for the video. I have a question as well. Can we extract a particular value from JSON data by passing a keyvalue instead of particular index value?
Using SPATH we are doing that one only....but when it comes to JSON array and if you need to extract a specific field from an array element you need to use index value.
@@splunk_ml Thank you for the reply. In my scenario, index is not fixed. I only know the key-value and want to fetch that particular value from the JSON data so that only this value is shown in the column instead of all the value from JSON data (multi-value column).
Hi! Amazing channel, thanks! Are you going to publish any video about Splunk ITSI App?
I wanted to but its not free 😔. I am checking with splunk if they can provide me sandbox system for longer time.
Thank you!
Great
Thank you sir!!!
Hi Sid...one doubt ..please help me...my data is looking like
Mar 25 10:21:58 server-name apimanagrment[-]: { "name":"sai", "age":25....}
On this data if I am using
index=* | spath
It's not extracting those name and age fields...
Howerver if I use
Index=* I extract pairdelim="," kvdelim=":"
It is estracting fields properly...
I don't want to use extract as I have much data and also it will extarcts all fields ...I want to use spath based on my requirement fileds..
But why that above spath it's not extracting anything?? Please guide me... however if I use spath on particular field it's working ... not working on raw data..
The problem is your raw data is not proper JSON. Thats why its not working. Better to use rex in this case to extract name, age.
@@splunk_ml Thanq so much..I tested with rex, it is working fine.
Thanks for this one. I have a suggestion, if you can start a series on Splunk MLTK.
Yes I will be covering that gradually. Initially I will be covering the theory part.