Getting Data In

extract multivalue nested json

hugo_vazquez
Explorer

I have a multivalve nested json that I need to parse, auto_kv_json is enabled on my props.conf file, and it is extracting most of my key values. But for some reason, there are a few that splunk is not extracting, I can see those values if I check the raw data, but splunk won't present them to me in the results as json data.
This is how my json looks:

"some_name": {
"my.very.nested.json.output.some.more.strings.tomakeitcomplicated": {
"count": 1,
"max": 0.5,
"mean": 0.1,
"min": 0.092808133,
"mean_rate": 0.30310791967810413,
"duration_units": "seconds",
"rate_units": "calls/second"
},

I need to extract the count, so I can present it on a table.

0 Karma
1 Solution

saurabhkharkar
Path Finder

Try This ,

index=yourindex | rex field=_raw ".*?\"count\":\s(?\d+)\,"

View solution in original post

0 Karma

macadminrohit
Contributor

why not using the spath to traverse to the specific field in the nested json in your case it should be some_name."my.very.nested.json.output.some.more.strings.tomakeitcomplicated"."count"

0 Karma

saurabhkharkar
Path Finder

Try This ,

index=yourindex | rex field=_raw ".*?\"count\":\s(?\d+)\,"

0 Karma

saurabhkharkar
Path Finder

index=yourindex | rex field=_raw ".*?\"count\":\s(?<_raw>\d+)\,"

0 Karma

saurabhkharkar
Path Finder

in the regular expression replace the _raw before \d by count. Not sure why i cant type it in the search.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

What is extracted and what isn't extracted? And is there supposed to be an ending } that you have left off?

0 Karma

hugo_vazquez
Explorer

Thanks you cpetterborg.
I need to extract the count, so I can present it on a table.
"count": 1,

You're right there's a } missing, but this is because I'm showing only a part of the entire json, which is huge.
The json string is fine, splunk is extracting most of the key values, the problem is with only a few, like the one in the example I posted

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

This is a JSON string that is in a field, not the entire event, right? If that is the case, you cannot depend on Splunk to extract all the JSON fields (that could be expected if the event were only a JSON string and you configured it to be extracted that way).

I would suggest doing an auto-field-extraction for the sourcetype, which will take some regular expression knowledge, or using the field extraction tool (which has its own problems, but may work fine for this case). Without knowing the entire event contents it's hard (though not impossible) to provide a field extraction that would always work. As a quick hack at the regex:

"count":\s*(?P<count>\d+),

You could use that is an auto-field-extraction, or in a rex command like this:

... | rex field=<the-json-string-field-name> "\"count\":\s*(?P<count>\d+),"

If this is not producing good results for you, post more here about the problem.

0 Karma

hugo_vazquez
Explorer

This is a JSON string that is in a field, not the entire event, right? Right
Thanks for the regex, I tried it in the search bar and it will return the same results without the value I need(count=*)
I also tried extracting the field with no luck.I even checked the json with an online json viewer to make sure its a valid json.
What really troubles me is the fact that the result of my query won't change when I add the rex command

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

With the rex embedded in your search, do you get the field count having values in the events? If not, then the field is not available for you to use in your search.

From your example the rex I provided should extract the field count (unless you are calculating another count field using something like the stats command).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...