- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I extract ALL occurrences of a field from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I extract ALL occurrences of a field from JSON file?
23.10.2017 14:01:23.745 INFO [10.87.80.251 [1508785283744] POST /apps/globallog HTTP/1.1] InfoLoggerServiceImpl {"id":{"field1":"DDDDDDD","field2":"XXXXXX","field3":"XXXXXXX","field4":"BBBBBB"},"request":{"url":"https://CCCCC-detail.html","timestamp":"2017.10.23 14:01:23.745"},"info":{"api":[{"NAME":"API1","CORRELATIONID":" VVVV","URL":"API1.json"},{"NAME":"API2","CORRELATIONID":" VVVV ","URL":"API2.json"}]}}
Was able to extract the fields as Name/Values pairs; but only the first occurrence is extracted ie. API2 is not getting extracted
From the above ONLY API1 was extractable but not "NAME":"API2","CORRELATIONID":" VVVV ","URL":"API2.json, I was assuming the below would have shown 2 URLs, 2 Names, 2 Correlation ID
URL is calling 2 APIs and only one of them seems is extracted by the below syntax
This was used to extract the name/value pairs
[json_embedded]
REGEX = "(\w+)"."(\S+?)"
FORMAT = $1::$2
Appreciate any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this for your transforms.conf entry
[json_embedded]
REGEX = "(\w+)"."(\S+?)"
FORMAT = $1::$2
REPEAT_MATCH = true
MV_ADD = true
Reference: https://answers.splunk.com/answers/484037/multi-value-field-extraction-propsconf-transformsc.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
23.10.2017 14:01:23.745 INFO [10.87.80.251 [1508785283744] POST /apps/globallog HTTP/1.1] InfoLoggerServiceImpl {"id":{"field1":"DDDDDDD","field2":"XXXXXX","field3":"XXXXXXX","field4":"BBBBBB"},"request":{"url":"https://CCCCC-detail.html","timestamp":"2017.10.23 14:01:23.745"},"info":{"api":[{"NAME":"API1","CORRELATIONID":" VVVV","URL":"API1.json"},{"NAME":"API2","CORRELATIONID":" VVVV ","URL":"API2.json"}]}}
Was able to extract the fields as Name/Values pairs; but only the first occurrence is extracted ie. API2 is not getting extracted
From the above ONLY API1 was extractable but not "NAME":"API2","CORRELATIONID":" VVVV ","URL":"API2.json, I was assuming the below would have shown 2 URLs, 2 Names, 2 Correlation ID
URL is calling 2 APIs and only one of them seems is extracted by the below syntax
This was used to extract the name/value pairs
[json_embedded]
REGEX = "(\w+)"."(\S+?)"
FORMAT = $1::$2
Appreciate any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Sanjay71, can you review your post and "XXX" out any sensitive fields? Answers is a public forum, so anyone can see this post by searching online. Specifically field 1 and 3 stood out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lfedak - any thoughts on my question? Thanks
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
