splunk查询输出一个表,其中一列包含此类json,而查询中给出此输出的部分是 details.ANALYSIS ```
{"stepSuccess":false,"SR":false,"propertyMap":{"Url":"https://example.com","ErrCode":"401","transactionId":"7caf34342524-3d232133da","status":"API failing with error code 401"}}
我想编辑我的splunk查询,这样代替这个json,我只得到 `Url` 在同一列中。
这是我使用的splunk查询|dbxquery connection="AT" query="select service.req_id, service.out,details.ANALYSIS from servicerequest service,SERVICEREQUEST_D details where service.out like 'XYZ is%' and service.row_created > sysdate-1 and service.SERVICEREQUEST_ID = details.SERVICEREQUEST_ID and details.ANALYSIS_CLASS_NAME = 'GetProduction' " shortnames=0 maxrows=100000001
我尝试使用details.analysis.propertymap.url,但出现了错误。
1条答案
按热度按时间siotufzp1#
你可以用
spath从details.analysis中提取字段尝试以下操作以提取所有字段
|spath field=“详细信息.分析”
或者这只是你要找的url字段
|spath field=“details.analysis”path=“propertymap.url”