https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681075#M80368 <P>Consider I have multiple such JSON events pushed to splunk.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">{ "orderNum" : "1234", "orderLocation" : "demoLoc", "details":{ "key1" : "value1", "key2" : "value2" } }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I am trying to figure out a spunk query that would give me the following output in a table&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="25%" height="25px">orderNum</TD><TD width="25%" height="25px">key</TD><TD width="25%" height="25px">value</TD><TD width="25%" height="25px">orderLocation</TD></TR><TR><TD width="25%" height="25px">1234</TD><TD width="25%" height="25px">key1</TD><TD width="25%" height="25px">value1</TD><TD width="25%" height="25px">demoLoc</TD></TR><TR><TD width="25%" height="25px">1234</TD><TD width="25%" height="25px">key2</TD><TD width="25%" height="25px">value2</TD><TD width="25%" height="25px">demoLoc</TD></TR></TBODY></TABLE><P><BR /><STRONG>the value from the key-value pair can be an escaped JSON string. we also need to consider this while writing regex.</STRONG></P> Tue, 26 Mar 2024 18:08:55 GMT adikrhd 2024-03-26T18:08:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681075#M80368 <P>Consider I have multiple such JSON events pushed to splunk.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">{ "orderNum" : "1234", "orderLocation" : "demoLoc", "details":{ "key1" : "value1", "key2" : "value2" } }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I am trying to figure out a spunk query that would give me the following output in a table&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="25%" height="25px">orderNum</TD><TD width="25%" height="25px">key</TD><TD width="25%" height="25px">value</TD><TD width="25%" height="25px">orderLocation</TD></TR><TR><TD width="25%" height="25px">1234</TD><TD width="25%" height="25px">key1</TD><TD width="25%" height="25px">value1</TD><TD width="25%" height="25px">demoLoc</TD></TR><TR><TD width="25%" height="25px">1234</TD><TD width="25%" height="25px">key2</TD><TD width="25%" height="25px">value2</TD><TD width="25%" height="25px">demoLoc</TD></TR></TBODY></TABLE><P><BR /><STRONG>the value from the key-value pair can be an escaped JSON string. we also need to consider this while writing regex.</STRONG></P> Tue, 26 Mar 2024 18:08:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681075#M80368 adikrhd 2024-03-26T18:08:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681093#M80369 <P>This is kind of sed-y but it should work: (assuming your automatic kv field extraction is working on your json event)</P><P>&nbsp;</P><LI-CODE lang="markup">| spath input=_raw path=details output=hold | rex field=hold mode=sed "s/({\s*|\s*}|,\s*)//g" | makemv hold delim="\"\"" | mvexpand hold | rex field=hold "(?&lt;key&gt;[^,\s\"]*)\"\s:\s\"(?&lt;value&gt;[^,\s\"]*)" max_match=0 | table orderNum key value orderLocation</LI-CODE><P>&nbsp;</P> Mon, 18 Mar 2024 20:23:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681093#M80369 marnall 2024-03-18T20:23:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681134#M80373 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263556">@marnall</a>,<BR />I appreciate your response, it did work for me after tuning it a bit&nbsp;<BR /><BR /></P><LI-CODE lang="markup">| spath input=_raw path=details output=hold | rex field=hold mode=sed "s/({\s*|\s*}|\s*)//g" | makemv hold delim="," | mvexpand hold | rex field=hold "\"(?&lt;key&gt;[^\"]+)\":\"(?&lt;value&gt;[^\"]+)\"" | table orderNum key value orderLocation</LI-CODE><P><BR />However, I have a follow-up on this.<BR />our admin has set some limitations for mvexpand command when I try to increase the search period for the last 3 days,<BR />I get this warning:&nbsp;<BR /><STRONG>output will be truncated at 6300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.<BR /><BR /></STRONG>Is there any alternate way to achieve the same results without using mvexpand, considering that on average there can be more than 50-60 key-value present under the "details" of a single event, and there can be 40K events per 30 days (assuming the retention period of the events is 30 days)?</P> Tue, 19 Mar 2024 07:10:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681134#M80373 adikrhd 2024-03-19T07:10:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681242#M80377 <P>Does this work better?</P><LI-CODE lang="markup">| spath input=_raw path=details output=hold | rex field=hold "\"(?&lt;kvs&gt;[^\"]*\"*[^\"]*\"*[^\"]*\"*)\"" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?&lt;key&gt;[^\"]*)\" : \"(?&lt;value&gt;[^\"]*)" max_match=0 | table orderNum key value orderLocation</LI-CODE> Tue, 19 Mar 2024 19:46:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/681242#M80377 marnall 2024-03-19T19:46:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/682035#M80394 <P>did not work,</P><LI-CODE lang="markup">| makeresults | eval _raw = "{\"orderNum\":\"1234\",\"orderLocation\":\"demoLoc\",\"details\":{\"key1\":\"value1\",\"key2\":\"value2\"}}" | spath | spath input=_raw path=details output=hold | rex field=hold "\"(?&lt;kvs&gt;[^\"]*\"*[^\"]*\"*[^\"]*\"*)\"" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?&lt;key&gt;[^\"]*)\" : \"(?&lt;value&gt;[^\"]*)" max_match=0 | table orderNum key value orderLocation</LI-CODE><P>&nbsp;</P><P>the value from the key-value pair can be an escaped JSON string. we also need to consider this while writing regex.<BR /><BR /></P> Tue, 26 Mar 2024 18:08:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/682035#M80394 adikrhd 2024-03-26T18:08:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/684151#M80469 <P>Small tweak to the regex: (removing two space characters from the second-to-last line)</P><LI-CODE lang="markup">| makeresults | eval _raw = "{\"orderNum\":\"1234\",\"orderLocation\":\"demoLoc\",\"details\":{\"key1\":\"value1\",\"key2\":\"value2\"}}" | spath | spath input=_raw path=details output=hold | rex field=hold "\"(?&lt;kvs&gt;[^\"]*\"*[^\"]*\"*[^\"]*\"*)\"" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?&lt;key&gt;[^\"]*)\":\"(?&lt;value&gt;[^\"]*)" max_match=0 | table orderNum key value orderLocation</LI-CODE><P>&nbsp; If the value can be an escaped JSON string, then indeed you need to be more crafty with the regex. E.g.:</P><LI-CODE lang="markup">| makeresults | eval _raw = "{\"orderNum\":\"1234\",\"orderLocation\":\"demoLoc\",\"details\":{\"key1\":\"{\\\"jsonvalue\\\":\\\"jsonvaluevalue\\\",\\\"jsonvalue2\\\":\\\"jsonvaluevalue2\\\"}\",\"key2\":\"value2\"}}" | spath | spath input=_raw path=details output=hold | rex field=hold "(?&lt;kvs&gt;\"[^\"]*\":\"{?[^}]*}?\")" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?&lt;key&gt;[^\"]*)\":\"(?&lt;value&gt;{?[^{}]*}?)\"" max_match=0 | table orderNum key value orderLocation</LI-CODE> Sat, 13 Apr 2024 08:15:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-extract-key-values-from-a-json-object/m-p/684151#M80469 marnall 2024-04-13T08:15:44Z