Getting Data In

How to handle simple JSON array with spath

ruman
Splunk Employee
Splunk Employee

The field value is ["","apples","oranges"]

| spath input=foo creates a multi-value field named '{}'. which is a little weird.

| spath input=foo output=bar fails. splunk complains

Error in 'spath' command: You have not specified a path. Try using "path=mypath" as an argument to spath.

I can't find a value for path that works, given that i want to address the root.

A kludgey workaround is | spath input=foo | rename "{}" AS bar, but it would be nicer if this was possible with spath alone.

Tags (3)
1 Solution

vliao
Engager

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

View solution in original post

sanjax90
New Member

*How to use spath for below JSON to check if for AnalyticsExternalDataSizeMB Remaining/Max*100 is >=70%?*

{
"AnalyticsExternalDataSizeMB":{
"Max":478600,
"Remaining":40960
},
"ConcurrentAsyncGetReportInstances":{
"Max":200,
"Remaining":200
},
"ConcurrentEinsteinDataInsightsStoryCreation":{
"Max":5,
"Remaining":5
},
"ConcurrentEinsteinDiscoveryStoryCreation":{
"Max":2,
"Remaining":2
},
"ConcurrentSyncReportRuns":{
"Max":20,
"Remaining":20
},
"DailyAnalyticsDataflowJobExecutions":{
"Max":60,
"Remaining":60
},
"DailyAnalyticsUploadedFilesSizeMB":{
"Max":51200,
"Remaining":51200
},

0 Karma

sheshank_kodam
New Member

How do I extract the title information from the json and table it

[{
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event1",
    'end_time': '2016-08-05T20:49:00Z'
}, {
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event2",
    'end_time': '2016-08-05T20:49:00Z'
}]

Desired output (in table)
Title
event1
event2

Here is the search I have and it doesn't work

| spath input=err output=title path={}.title | table title
0 Karma

vliao
Engager

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

ruman
Splunk Employee
Splunk Employee

Wow! That's perfect. For my case, just a naked array instead of an array of objects, I was able to say

foo=["","apples","oranges"]

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}

Thanks!

0 Karma

sivasn1
Engager

Hey Guys,, when you use 'foo' everywhere, its a little difficult for me to follow which refers to which 'foo'.. Please use variants like 'foo2' or 'foo_key' etc for clarity for beginners

DalJeanis
SplunkTrust
SplunkTrust

@sivasn1 -

The event JSON comes in with this data...

  foo1=["","apples","oranges"]

This takes the value above, prepends the name foo3 to it to establish a valid path in JSON format, and puts it into a variable named foo2.

 | eval foo2="{\"foo3\":" + foo1 + "}" 

This takes the foo2 valid JSON variable we just created value above, and uses the spath command to tell it to extract the information from down the foo3 path to a normal splunk multivalue field named foo4.

| spath input=foo2 output=foo4 path=foo3{}

Using the above, you should be able to understand what was happening with the original code.


Here's a run-anywhere sample...

 | makeresults 
 | eval foo1="[\"\",\"apples\",\"oranges\"]"
 | eval foo2="{\"foo3\":" + foo1 + "}" 
 | spath input=foo2 output=foo4 path=foo3{}
 | table foo1 foo2 foo3 foo4

Note that with the above table command, field foo3 will be null, because it isn't a field in splunk, it is a field name assigned solely in the JSON data.

gryz
Explorer

Are you sure that you are feeding it proper json formated data? I did some stuff with json that wasn't working quite right and it turned out we were not formating it correctly.

0 Karma

ruman
Splunk Employee
Splunk Employee

The fact that spath input=foo correctly creates a multiple value field, with correct data, suggests that the JSON is well-formed.

As noted, the JSON in question is ["","apples","oranges"] - let me know if there's something wrong with that. Maybe I should provide the original event:

[25-Oct-2012 13:37:38] INFO [test] foo="[\"\",\"apples\",\"oranges\"]"

There's a transform that handles the escaped quotes gracefully.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...