spath

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use spath along with other search commands.

json spath w/ date

... | spath input=message | where strptime('updated_at', "%Y-%m-%d %H:%M:%S %z") > strptime("2013-08-07 00:00:00", "%Y-%m-%d %H:%M:%S")

purpose:

searches for events which contain a field called "message". That field contains json payload and is expanded via a call to spath. Then a value from the resulting expansion is used to find events that contain a date meeting certain criteria.

requirements:

comments:

XML with spath

index=demo1 sourcetype=xml-log-data | spath input=message | where strptime('message.updated_at', "%Y-%m-%d %H:%M:%S %z") > strptime("2013-08-07 00:00:00", "%Y-%m-%d %H:%M:%S")

purpose:

searches for events which contain a field called "message" that composite field is expanded via a call to spath. Then a value from the resulting expansion is used to find events that contain a date meeting certain criteria.

requirements:

comments:

Show links between tags, sourcetypes, apps and datamodels.

| rest splunk_server=local count=0 /servicesNS/-/-/admin/datamodel-files 
| spath input=eai:data output=base_search path=objects{}.baseSearch 
| spath input=eai:data output=constraints path=objects{}.constraints{}.search 
| eval tag_content = mvappend(base_search,constraints) 
| rex max_match=0 field=tag_content "tag=\"?(?<tag_name>\w+)\"?" 
| mvexpand tag_name 
| rename title AS datamodel 
| append 
    [| rest splunk_server=local count=0 /servicesNS/-/-/admin/eventtypes 
    | rename eai:acl.app AS app tags AS tag_name 
    | search app="*TA*" 
    | rex max_match=0 field=search "sourcetype=\"?(?<sourcetype>[^\s\"^)]+)\"?" 
    | mvexpand sourcetype 
    | mvexpand tag_name 
    | eval app_sourcetype=mvzip(app,sourcetype,"__") 
    | stats list(tag_name) as tag_name by app, sourcetype,app_sourcetype ] 
| stats list(datamodel) as datamodel, list(app) as app, list(app_sourcetype) as app_sourcetype by tag_name 
| search datamodel=* 
| stats values(datamodel) as datamodel, values(tag_name) as tags by app_sourcetype 
| eval tags=mvdedup(tags) 
| rex max_match=0 field=app_sourcetype "\"?(?<app>.+)__\"?" 
| rex max_match=0 field=app_sourcetype "__\"?(?<sourcetype>.+)\"?" 
| fields - app_sourcetype

purpose:

This search answers the questions which dashboards will my new add-on be used for in Enterprise Security.

requirements:

comments:

This is useful to see which app populates which datamodel in Enterprise Security or any other environment which datamodels.