https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190764#M37992 <P>Thank you so much for your comment.<BR /> Your solution works if field value is without double quotes. Like:<BR /> qValue=[{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"2","day":"Monday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"3","day":"Tuesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"4","day":"Wednesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"5","day":"Thursday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"6","day":"Friday"},{"id":null,"dayStart":"09:00","dayEnd":"17:00","dayOfWeek":"7","day":"Saturday"},{"id":null,"dayStart":null,"dayEnd":null,"dayOfWeek":"1","day":"Sunday"}]<BR /> Not sure if there is a solution when we have json in double quotes.</P> <P>Also we have few logs where field value starts with [[{ instead of [{. In that case given solution does not work. Would really appreciated you can suggest some pointers for that as well.</P> Mon, 06 Jul 2015 09:22:05 GMT swatijha 2015-07-06T09:22:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190762#M37990 <P>Below is the log:</P> <BLOCKQUOTE> <P>qCode="SOME_CODE",<BR /> qValue="[{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"2","day":"Monday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"3","day":"Tuesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"4","day":"Wednesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"5","day":"Thursday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"6","day":"Friday"},{"id":null,"dayStart":"09:00","dayEnd":"17:00","dayOfWeek":"7","day":"Saturday"},{"id":null,"dayStart":null,"dayEnd":null,"dayOfWeek":"1","day":"Sunday"}]"</P> </BLOCKQUOTE> <P>from which I have to show dayStart and dayEnd values. I have tried following query:</P> <BLOCKQUOTE> <P>index=myindex | spath | rename<BR /> {}.{}.dayStart as value | table value</P> </BLOCKQUOTE> <P>but this is not working. Is there a way that I can get values form JSON array?</P> Fri, 03 Jul 2015 10:27:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190762#M37990 swatijha 2015-07-03T10:27:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190763#M37991 <P>Like this:</P> <PRE><CODE>index=myindex | spath input=qValue | rename {}.* AS * | table dayStart dayEnd </CODE></PRE> Fri, 03 Jul 2015 14:20:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190763#M37991 woodcock 2015-07-03T14:20:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190764#M37992 <P>Thank you so much for your comment.<BR /> Your solution works if field value is without double quotes. Like:<BR /> qValue=[{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"2","day":"Monday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"3","day":"Tuesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"4","day":"Wednesday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"5","day":"Thursday"},{"id":null,"dayStart":"08:00","dayEnd":"18:00","dayOfWeek":"6","day":"Friday"},{"id":null,"dayStart":"09:00","dayEnd":"17:00","dayOfWeek":"7","day":"Saturday"},{"id":null,"dayStart":null,"dayEnd":null,"dayOfWeek":"1","day":"Sunday"}]<BR /> Not sure if there is a solution when we have json in double quotes.</P> <P>Also we have few logs where field value starts with [[{ instead of [{. In that case given solution does not work. Would really appreciated you can suggest some pointers for that as well.</P> Mon, 06 Jul 2015 09:22:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190764#M37992 swatijha 2015-07-06T09:22:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190765#M37993 <P>I would classify any JSON or KeyValue data could be done<BR /> - Before Indexing<BR /> - After Indexing</P> <P>I prefer before indexing, as JSON is KV and when you display the data you get in "Interesting field section" automatically. Inorder to do that, just put in props.conf something like below</P> <PRE><CODE># props.conf [SPECIAL_EVENT] NO_BINARY_CHECK = 1 TIME_PREFIX = "timestamp" # or identify the tag within your JSON data pulldown_type = 1 KV_MODE = JSON BREAK_ONLY_BEFORE = (^{) </CODE></PRE> Mon, 06 Jul 2015 11:22:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190765#M37993 koshyk 2015-07-06T11:22:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190766#M37994 <P>You can easily remove the double-quotes like this:</P> <PRE><CODE> index=myindex | rex field=qValue mode=sed "s/\"//g" | spath input=qValue | rename {}.* AS * | table dayStart dayEnd </CODE></PRE> <P>If that works, please "Accept" the answer and if there is another question, then please ask a new question.</P> Tue, 07 Jul 2015 04:35:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-array-using-spath-or-any-other-option/m-p/190766#M37994 woodcock 2015-07-07T04:35:17Z