Part 2: How to extract a json portion of an event ...

lpolo · ‎03-20-2013

I have the following log event but I have not been able to use spath to extract the json key=value pairs if the json portion contains arrays. Event example:

2013-03-12 10:37:10,205 <tvsquery id=58b6bf4d-948b-416b-8d17-cedcbc1059ec>{
"start" : 1,
"returned" : 1,
"count" : 1,
"entities" : [ {
"houses" : {
"callers" : "IM",
"placeid" : 5041447014850446107,
"number" : 14,
"sourceid" : 5625
},
"entitytype" : "house/street",
"title" : [ {
"default" : "No Place"
} ]
} ]
}</tvsquery>

The following answer solved the problem if the json protion does not contain any array:

http://splunk-base.splunk.com/answers/79029/part-1-how-to-extract-a-json-portion-of-an-event-then-us...

I having a hard time to make it work.

Any help please!

Thanks,
Lp

lpolo · ‎03-28-2013

The following regex will work, if and only if, there is not any new line in the event:

rex "[^>]+)>(?.+?)"

Therefore, I was able to make it work by trimming the event before the regular expression as follow:

| rex field=_raw mode=sed "s/[\r\n]//g"
| rex "[^>]+)>(?.+?)"

Then, the extracted field "response" can be processed by spath search command.

Regards,
Lp

jonuwz · ‎03-20-2013

Look at my answer in the original question you linked. It extracts everything, including values in arrays

lpolo · ‎03-21-2013

I tried but It does not work. The regex does not return any value. what do you suggest?

Thanks,
Lp

Part 2: How to extract a json portion of an event then use spath to extract key=value pairs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!