All, I'm working on extracting some key info out of an Ansible HEC collector. I'm hoping to use json_extract stuff like run time, machine etc. The data shows up in Search The data is formatted in proper json "tree" view and color coding in Search. Ansible app uses the _json source type. When I tried to use . ...| eval foo = json_extract(<objectname>) | table foo I can only get it show values for the first object in the list. After many hours of fiddling around I decided to see if I could get json_extract to work in a simpler scenario. I decided to try out the "cities" example from the Splunk online Dovs https://docs.splunk.com/Documentation/SCS/current/SearchReference/JSONFunctions I ingested the example below as a file. I did NOT use _json source type so no index field extractions we should just have the raw JSON below. {
"cities": [
{
"name": "London",
"Bridges": [
{ "name": "Tower Bridge", "length": 801 },
{ "name": "Millennium Bridge", "length": 1066 }
]
},
{
"name": "Venice",
"Bridges": [
{ "name": "Rialto Bridge", "length": 157 },
{ "name": "Bridge of Sighs", "length": 36 },
{ "name": "Ponte della Paglia" }
]
},
{
"name": "San Francisco",
"Bridges": [
{ "name": "Golden Gate Bridge", "length": 8981 },
{ "name": "Bay Bridge", "length": 23556 }
]
}
]
} I then try the following statement from the Splunk Doc ...| eval extract_cities = json_extract(cities) | table extract_cities I get nothing. The example says I should get this below. I'm on Splunk 8.0.6. Is this a bug? This is the first time I've had to work with JSON on this box. Many thanks in advance for the help.
... View more