- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract values from nested json?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract values from nested json?
I have the below json for which I want to extract all the values of FIELDNAME.
"MY_DETAILS": [
{
"ACTION": "Add",
"OLD_VALUES": "",
"FIELDNAME": "ABCD",
"TIME": "17-Feb-2016 1:08 PM",
"NAME": "Jane Doe",
"NEW_VALUEs": "",
"NAME": "Jane1234"
},
{
"ACTION": "Add",
"OLD_VALUES": "",
"FIELDNAME": "XYZ",
"TIME": "17-Feb-2016 1:08 PM",
"NAME": "Jane Doe 2",
"NEW_VALUEs": "",
"NAME": "Jane1234"
},.................
I want to extract values FIELDNAME. In this case, the search should return ABCD and XYZ
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try like:
...| spath input=json|rename FIELDNAME as "your_FIELDNAME" |...|fields your_FIELDNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have a syntactically correct and complete JSON object (your example is missing an opening {, closing ], and closing }). If you're sending the data in using a sourcetype with props.conf configuration that has INDEXED_EXTRACTIONS=json or AUTO_KV_JSON=true or KV_MODE=json (like the built-in sourcetypes like _json and json_no_timestamp ) then that field is automatically extracted as MY_DETAILS{}.FIELDNAME (indexed extractions -> index time extraction, the others are search time extractions).
Additionally / alternatively, if you're pulling the json object from a field, you can use the spath command or spath eval function to extract the same values. (these give you the added benefit, of say you want to extract only the first FIELDNAME value (e.g. "ABCD"), you could actually specify indices like | eval fieldname=spath(_raw,"MY_DETAILS{0}.FIELDNAME")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @acharlieh , but why does the following not work(to get the first child of MY_DETAILS)?
MY_DETAILS{0}.FIELDNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sending with props.conf configuration that has INDEXED_EXTRACTIONS=json or AUTO_KV_JSON=true or KV_MODE=json.
The json which i have posted, it part of the whole json which has different KVP as well.
I tried this | eval fieldname=spath(_raw,"MY_DETAILS{0}.FIELDNAME") but it din work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't work how? If this is nested further then you need to include those levels when running spath. Without sharing the complete event I couldn't tell you exactly what that is, only make a best guess based on what you shared. Is the entire event json (in which case you'd use _raw) or just a part of it (in which case you'd extract the entire json object to a different field then run spath)? You need a complete json object (no extra characters, no missing characters), to leverage either form of spath effectively.
You could also potentially use rex, with max_match=0 to match multiple times but you'd have to know the limits of your data to build that regular expression.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
