Re: Help extracting information from JSON file

UnaBizLeon · ‎09-20-2017

Json Format ↓
{
"device":"A123",
"data":"28745637",
"time":"1505924687",
}

"2874" = 28.74 , means tempurature , and "5637" = 56.37% humidity .

How to display as below↓

if ( tempurature > 25 & humidity >50)
{
display matching data ;
}

UnaBizLeon · ‎09-20-2017

Thanks , My problem has been successfully resolved !!

gokadroid · ‎09-20-2017

your query to return events
| rex "data\"\:\"(?<temp>\d{4})(?<humid>\d{4})"
| search temp>2500 and humid>5000

If you want the percentages to display then you can add following to above and table the evals.

    | eval temperature=round(temp/100,2)
    | eval humidity=round(humid/100, 2)
   | table temperature, humidity

sshelly_splunk · ‎09-20-2017

In transforms.conf (to extract temperature and humidity fields)

REGEX = "data":"(?P<temperature>\d{4})(?P<humidity>\d{4})

You can than do an eval like the following:
| eval temp=round(temperature/100, 2)

I'll keep poking around to see how to insert a decimal into the field, but not sure how to do that right now:)

DalJeanis · ‎09-20-2017

@sshelly - something like this should work. I don't believe the . needs escaped in the format.

[temp]
 REGEX = "data":"(\d{2})(\d{2}) 
 DEST_KEY = temperature
 FORMAT = \1.\2

[humid]
 REGEX = "data":"\d{4}(\d{2})(\d{2}) 
 DEST_KEY = humidity
 FORMAT = \1.\2

Help extracting information from JSON file

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio