All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract fields with JSON values while creating a DB input in Splunk DB Connect?

gsrivastava
Explorer
‎09-18-2017 02:34 AM
  • I am creating a DB Input in DB Connect v3
  • My DB columns contains JSON values.
  • I am getting correct raw data in Splunk, but on selecting Table mode, the field does not have correct values. for ex, if the column name is status and the JSON it contains is : "[{"datasetId":1,"refreshStatus":16}]", then the field created in splunk is status but it only contains the value : '[{'.
  • All the rows in Splunk contains this same value '[{'
  • May be Splunk is using double quote as a delimiter to separate fields, but the JSON itself contains the quotes.
0 Karma
Reply

stefan_d
Path Finder
‎07-31-2018 07:21 AM

Hi there!

Have you managed to solve this problem?
I also have a similar issue, is it possible to grab the JSON data from a column in your DB input?

0 Karma
Reply

gsrivastava
Explorer
‎10-24-2017 10:45 PM

May be this happens because Splunk IFX uses comma(,) as a default delimiter to separate and extract fields but the JSON itself contains commas(,) , therefore the default regex which is generated separates the field when it encounters the first comma(,) .
So to extract any JSON field, one has to edit the original regex and make any changes required to extract the entire JSON field instead of '[}'

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-20-2017 06:18 PM

Hello gsrivastava . I am seeing my fields with the JSON. Try SELECT field and then do | table field

I am seeing {"key":"value,"key2":"value2"} etc.

Maybe you can show your SELECT with LIMIT 1 and the output you get.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-18-2017 05:13 PM

I am using DB Connect 2.4.0 with JSON data. A sample might be.

"record":{"subfield1":"value1","subfield2","value2"}

I use "SELECT record['subfield1'] AS subfield1.. WHERE record['subfield'] IS NOT NULL" to get the value.

And if subfield1 itself is JSONlike then I do something like rex field=subfield1 "\"somefield\":(?<somefieldT>.*?)[,}]" in order to get somefield out.

0 Karma
Reply

gsrivastava
Explorer
‎09-19-2017 01:53 AM

Thanks @burwell for responding. But I want complete json in a field and handle that json in splunk itself.
Sample JSON array is-

[  
   {  
      "set":3,
      "ids":[  
         9
      ],
      "status":12,
      "code":570,
      "idDetails":[  
         {  
            "id":9,
            "status":12,
            "code":570
         }
      ]
   },
   {  
      "set":1,
      "ids":[  
         5,
         8
      ],
      "status":21,
      "code":601,
      "idDetails":[  
         {  
            "id":5,
            "status":21,
            "code":601
         },
         {  
            "id":8,
            "status":21,
            "code":601
         }
      ]
   }
]

With this kind of nested JSON and with multiple keys having the same name, its not possible to extract all the fields in SQL itself.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...