When using the curl get, I am receiving a json response, however with no field extraction. SPATH is not working and, neither are my manual regexes.
I would like the extracted fields from the json, or the json broken into multiple events.
Am I missing something?
A simple, single value result is:
{ "origin" : "NYC", "currency" : "USD", "results" : [ { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-17", "price" : "742.85", "airline" : "IB" } ] }
A multi value event example is:
{ "origin" : "NYC", "currency" : "USD", "results" : [ { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-17", "price" : "742.85", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-18", "price" : "742.85", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-19", "price" : "742.85", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-13", "price" : "746.85", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-14", "price" : "746.85", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-16", "price" : "931.78", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-11", "price" : "959.92", "airline" : "BA" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-10", "price" : "1062.46", "airline" : "AA" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-15", "price" : "1195.56", "airline" : "IB" }, { "destination" : "AGP", "departure_date" : "2018-09-09", "return_date" : "2018-09-12", "price" : "1394.32", "airline" : "AT" } ] }
Try this:
... | makemv delim=“, “ curl_response | mvexpand curl_response | table curl_response
Hey there, i have a issue like this, I get a json back without field extraction
My search is:
"index=wifi sourcetype=netxml
| table wireless-network.BSSID
| dedup wireless-network.BSSID
| curl method=POST uri=https://www.googleapis.com/geolocation/v1/geolocate?key=APIKEY"
The responce looks like:
{ "location": { "lat": 48.2453772, "lng": 11.6262551 }, "accuracy": 1186.0 }
Has anyone a hind for me? Thx
You can create your own question and reference this post.
Try this:
... | makemv delim=“, “ curl_response | mvexpand curl_response | table curl_response
@jkat54 - This did work and I ended up with:
...| makemv delim=", " "results{}" | mvexpand results{} | table results{}*
Thanks.
@lennys26 did this help?
Did you try the xmlkv search command or xpath?
Can you share your search?
You might want to add the below props.conf in the UF ;
props.conf
INDEXED_EXTRACTIONS = JSON
KV_MODE = none
That way splunk will extract the file as a json
@nadlurinadluri - Normally this is where i would look, however this data is being pulled via REST CURL on the SPL query line, therefore there is no UF (or props).
My bad, didn`t realize that!! Will wait for someone to answer this 🙂