topic Re: How to handle simple JSON array with spath in Getting Data In

How to handle simple JSON array with spath

ruman — Thu, 25 Oct 2012 20:16:37 GMT

The field value is ["","apples","oranges"]

| spath input=foo creates a multi-value field named '{}'. which is a little weird.

| spath input=foo output=bar fails. splunk complains

Error in 'spath' command: You have not specified a path. Try using "path=mypath" as an argument to spath.

I can't find a value for path that works, given that i want to address the root.

A kludgey workaround is | spath input=foo | rename "{}" AS bar, but it would be nicer if this was possible with spath alone.

Re: How to handle simple JSON array with spath

gryz — Thu, 25 Oct 2012 21:30:49 GMT

Are you sure that you are feeding it proper json formated data? I did some stuff with json that wasn't working quite right and it turned out we were not formating it correctly.

Re: How to handle simple JSON array with spath

ruman — Thu, 25 Oct 2012 21:46:05 GMT

The fact that spath input=foo correctly creates a multiple value field, with correct data, suggests that the JSON is well-formed.

As noted, the JSON in question is ["","apples","oranges"] - let me know if there's something wrong with that. Maybe I should provide the original event:

[25-Oct-2012 13:37:38] INFO [test] foo="[\"\",\"apples\",\"oranges\"]"

There's a transform that handles the escaped quotes gracefully.

Re: How to handle simple JSON array with spath

vliao — Mon, 11 Feb 2013 23:41:40 GMT

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

Re: How to handle simple JSON array with spath

ruman — Fri, 15 Feb 2013 01:01:42 GMT

Wow! That's perfect. For my case, just a naked array instead of an array of objects, I was able to say

foo=["","apples","oranges"]

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}

Thanks!

Re: How to handle simple JSON array with spath

sivasn1 — Sun, 09 Aug 2015 15:26:46 GMT

Hey Guys,, when you use 'foo' everywhere, its a little difficult for me to follow which refers to which 'foo'.. Please use variants like 'foo2' or 'foo_key' etc for clarity for beginners

Re: How to handle simple JSON array with spath

sheshank_kodam — Thu, 04 Aug 2016 17:36:58 GMT

How do I extract the title information from the json and table it

[{
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event1",
    'end_time': '2016-08-05T20:49:00Z'
}, {
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event2",
    'end_time': '2016-08-05T20:49:00Z'
}]

Desired output (in table)
Title
event1
event2

Here is the search I have and it doesn't work

| spath input=err output=title path={}.title | table title

Re: How to handle simple JSON array with spath

ruman_splunk — Thu, 04 Aug 2016 21:29:58 GMT

https://en.wikipedia.org/wiki/Metasyntactic_variable#English

Re: How to handle simple JSON array with spath

DalJeanis — Thu, 01 Mar 2018 20:24:38 GMT

@sivasn1 -

The event JSON comes in with this data...

  foo1=["","apples","oranges"]

This takes the value above, prepends the name foo3 to it to establish a valid path in JSON format, and puts it into a variable named foo2.

 | eval foo2="{\"foo3\":" + foo1 + "}"

This takes the foo2 valid JSON variable we just created value above, and uses the spath command to tell it to extract the information from down the foo3 path to a normal splunk multivalue field named foo4.

| spath input=foo2 output=foo4 path=foo3{}

Using the above, you should be able to understand what was happening with the original code.

Here's a run-anywhere sample...

 | makeresults 
 | eval foo1="[\"\",\"apples\",\"oranges\"]"
 | eval foo2="{\"foo3\":" + foo1 + "}" 
 | spath input=foo2 output=foo4 path=foo3{}
 | table foo1 foo2 foo3 foo4

Note that with the above table command, field foo3 will be null, because it isn't a field in splunk, it is a field name assigned solely in the JSON data.

Re: How to handle simple JSON array with spath

sanjax90 — Wed, 30 Sep 2020 05:21:42 GMT

*How to use spath for below JSON to check if for AnalyticsExternalDataSizeMB Remaining/Max*100 is >=70%?*

{
"AnalyticsExternalDataSizeMB":{
"Max":478600,
"Remaining":40960
},
"ConcurrentAsyncGetReportInstances":{
"Max":200,
"Remaining":200
},
"ConcurrentEinsteinDataInsightsStoryCreation":{
"Max":5,
"Remaining":5
},
"ConcurrentEinsteinDiscoveryStoryCreation":{
"Max":2,
"Remaining":2
},
"ConcurrentSyncReportRuns":{
"Max":20,
"Remaining":20
},
"DailyAnalyticsDataflowJobExecutions":{
"Max":60,
"Remaining":60
},
"DailyAnalyticsUploadedFilesSizeMB":{
"Max":51200,
"Remaining":51200
},