Solved: How to regex over nested jsons with foreach and re...

neuromantik · ‎01-25-2020

Hi everyone,

Currently I have a log record in the form of nested jsons, not arrays of jsons:

{"root_key": {"subkey_0": {nested json string}, ... , "subkey_N": {nested json string}}}

I want to extract some fields with rex from each subkey json string.
Is it possible somehow to accomplish this by foreach and rex?

Something like this pseudocode:

foreach subkey:
    (field_value_0, ... field_value_M) <--- rex(subkey json string)

The goal is to build the following list:

[
    [field_value_0, ... field_value_M],
    ...
    [field_value_0, ... field_value_M]
]

And to display it with table command.

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

View solution in original post

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

How to regex over nested jsons with foreach and rex?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes