topic Re: Extract unique Json String field value in Getting Data In

How to extract unique Json String field value?

srinim1234 — Mon, 28 Mar 2022 16:18:29 GMT

Hi,

I have the following JSON String logs. I would like to extract JSON unique field values. It should go over all the message fields and extract specific field values from a JSON array("name") and unique them. Could someone help with Splunk query?

Raw log

{
"@timestamp": "2022-03-28T07:38:45.123+00:00",
"message": "request - {\"metrics\":[{\"name\":\"m1\",\"downsample\":\"sum\"},{\"name\":\"m2\",\"downsample\":\"sum\"},{\"name\":\"m1\",\"downsample\":\"sum\"}]}"
}

JSON

 {
"metrics": [{
"name": "m1",
"aggregator": "sum",
}, {
"name": "m2",
"downsample": "sum"
}, {
"name": "m1",
"downsample": "sum"
}]
}

Expected Output:

m1
m2 
...

Re: Extract unique Json String field value

ITWhisperer — Mon, 28 Mar 2022 08:20:56 GMT

| rex max_match=0 "\\\\\"name\\\\\":\\\\\"(?<name>[^\\\\]+)" | eval name=mvdedup(name)

Re: Extract unique Json String field value

kamlesh_vaghela — Mon, 28 Mar 2022 08:22:27 GMT

@srinim1234

Can you please try below search?

YOUR_SEARCH | rex field=message \"name\":\"(?<name>\w+)\" max_match=0 | mvexpand name | table name

I suggest above search for your requirement.

Below search for learning purpose as another way of achieving same output.

YOUR_SEARCH | rex field=message "request - (?<data>.*)" | rename data as _raw | kv |mvexpand metrics{}.name | table metrics{}.name

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Extract unique Json String field value

srinim1234 — Mon, 28 Mar 2022 08:56:06 GMT

Thank you! This helped!