Splunk Search

Can you help me use the rex command to parse API's JSON?

gcescatto
New Member

I have the following JSON, but I'm not really familiar with Splunk's rex function.
I tried this command without success: | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field

[
  {
    "Eqpt Class Description": null,
    "Eqpt Criticality": "D",
    "Eqpt Criticality Desc": "Non Essential",
    "Eqpt Description": null,
    "Eqpt Type Description": "Instrumentation",
    "Maint Plant Caption": null,
    "Maint Plant Filter Code": null,
    "Maint Plant ID": null
  },
  {
    "Eqpt Class Description": null,
    "Eqpt Criticality": "D",
    "Eqpt Criticality Desc": "Non Essential",
    "Eqpt Description": null,
    "Eqpt Type Description": "Instrumentation",
    "Maint Plant Caption": null,
    "Maint Plant Filter Code": null,
    "Maint Plant ID": null
  },
  {
    "Eqpt Class Description": null,
    "Eqpt Criticality": "D",
    "Eqpt Criticality Desc": "Non Essential",
    "Eqpt Description": null,
    "Eqpt Type Description": "Instrumentation",
    "Maint Plant Caption": null,
    "Maint Plant Filter Code": null,
    "Maint Plant ID": null
  }
]

alt text

For me to be able to build a dashboard with it, I need that to be displayed similar as in:

alt text

Could someone please help me to parse this on "}, {"?

Tags (3)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @gcescatto,

There are 2 ways to achieve this. The first is to ingest JSON data with correct extractions before data indexing and another way is to achieve this via search query.

  • To achieve this with correct field extractions before data indexing.

Here you can assign below configuration on a universal forwarder and then restart Splunk on universal forwarder.

props.conf

[yoursourcetype]
INDEXED_EXTRACTIONS = JSON
  • If you do not want to change any configuration on universal forwarder, and you don't have too much data, then you can achieve it via search query. (Why I am saying "not too much data" because search query will generate extra load to do parsing at search time if you have more data rather; I prefer correct field extraction before data indexing)

Below is search query to parse correct data

<yourBaseSearch> | spath input=_raw | rename {}.* AS *

Above query will extract many fields like Eqpt Class Description , Eqpt Criticality etc.

Here is a run anywhere search to test on any Splunk instance.

| makeresults
| eval _raw="[
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   },
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   },
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   }
 ]" 
 | spath input=_raw
 | rename {}.* AS *

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @gcescatto,

There are 2 ways to achieve this. The first is to ingest JSON data with correct extractions before data indexing and another way is to achieve this via search query.

  • To achieve this with correct field extractions before data indexing.

Here you can assign below configuration on a universal forwarder and then restart Splunk on universal forwarder.

props.conf

[yoursourcetype]
INDEXED_EXTRACTIONS = JSON
  • If you do not want to change any configuration on universal forwarder, and you don't have too much data, then you can achieve it via search query. (Why I am saying "not too much data" because search query will generate extra load to do parsing at search time if you have more data rather; I prefer correct field extraction before data indexing)

Below is search query to parse correct data

<yourBaseSearch> | spath input=_raw | rename {}.* AS *

Above query will extract many fields like Eqpt Class Description , Eqpt Criticality etc.

Here is a run anywhere search to test on any Splunk instance.

| makeresults
| eval _raw="[
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   },
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   },
   {
     \"Eqpt Class Description\": null,
     \"Eqpt Criticality\": \"D\",
     \"Eqpt Criticality Desc\": \"Non Essential\",
     \"Eqpt Description\": null,
     \"Eqpt Type Description\": \"Instrumentation\",
     \"Maint Plant Caption\": null,
     \"Maint Plant Filter Code\": null,
     \"Maint Plant ID\": null
   }
 ]" 
 | spath input=_raw
 | rename {}.* AS *
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...