topic Re: convert raw data in the event into json format in Getting Data In

convert raw data in the event into json format

sekhar463 — Thu, 19 Oct 2023 12:45:12 GMT

Hai All,

we have some data coming from splunk DB connect and one field has RAW data as below

how to convert the json payload data into readable format as i have attached pic how it should convert and below is the json data

The field we want to perform json operations on is report_json

tried with below search but not working and is anything we need to update in the DB query end to get the output

index="test1"
| search NOT errors="*warning Puppet*" NOT errors="*Permission*" report_json=*
| eval json_string=json(report_json), test=report_json
| table json_string, test, len(test)

Re: convert raw data in the event into json format

richgalloway — Thu, 06 Jul 2023 14:31:13 GMT

Please explain what you mean by "not working". What results do you expect and what results do you get?

The sample event does not contain valid JSON in the result_json field. Specifically, it's missing a closing brace and bracket. Splunk's JSON functions don't handle invalid JSON.

Re: convert raw data in the event into json format

ITWhisperer — Thu, 06 Jul 2023 15:36:43 GMT

Assuming your actually data has correct json (not the truncated version you supplied), if the report_json field has not already been extracted, then you can use this to extract it and use spath to parse the json string.

| rex "report_json=\"(?<report_json>.*)" | spath input=report_json

Re: convert raw data in the event into json format

sekhar463 — Thu, 19 Oct 2023 12:43:58 GMT

we are getting this data using DB connect from postgre db using below query and has 2 fields report_json AND I have modified the query to to convert json object.