Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract field from json array?

haobin
Explorer
‎11-24-2010 08:00 AM

If I have a log which is in JSON format and contains array in JSON, can Splunk extract values in this array? For example,

{"name": ["john", "mark", "abby"]}

how can I write a regular expression to parse this string and get the field like

name=john name=mark name=abby

Thank you.

Tags (1)
Reply

markmcd
Path Finder
‎07-25-2013 12:54 AM

After having played around with the 'jsonkv' tool in the 'jsonutils' app on SplunkBase, I got stuck on parsing array values.

Fortunately Splunk 5 has a search command 'spath' that does the job.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Spath

I had to extract the JSON component of my log entry into its own field and pass it to |spath input=raw_json, then the rest worked as documented.

Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-04-2011 03:08 AM

Here's the poor-man's method of extracting the multi-value array for the name field at search time. This example will strip any surrounding punctuation from the names. It assumes that your sourcetype is "jsonarray", and it will create a multi-valued field called 'name_mv' that contains the array elements.

PROPS.CONF:
[jsonarray]
REPORT-json = xf-jsonarray, xf-jsonmv

TRANSFORMS.CONF:
[xf-jsonarray]
REGEX  = \{"(?<_KEY_1>[^"]+)":\s\[(?<_VAL_1>[^\]]+)

[xf-jsonmv]
SOURCE_KEY = name
REGEX = ("?)(?<name_mv>[^,"]*)("?)(,\s*)?
MV_ADD = true

With the mv field created, you can then do searches that look for array elements, like:

sourcetype=jsonarray name_mv=abby

HTH
Ron

Reply

carasso
Splunk Employee
Splunk Employee
‎01-06-2011 07:00 PM

Splunk does not parse json at index time, and at search-time any sort of regex would do a half-hearted job, especially on your example where a value is a list.

There are two options:

1) The fastest option is to add a scripted input. For example, you can write a little python program to convert json to attr=val format and output the logs in a friendly format, before splunk is called: http://www.splunk.com/base/Documentation/latest/Admin/Setupcustom%28scripted%29inputs

2) Another option is to write a custom search command to do the conversion for you at search-time. It's slower, but allows you to tweak it as needed, and apply it only when you want -- http://www.splunk.com/base/Documentation/latest/SearchReference/Customsearchshape

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-04-2011 02:42 AM

Conveniently, someone has written some of these utilities and put them up on Splunkbase: http://splunkbase.splunk.com/apps/All/4.x/app:jsonutils

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...