topic Get dynamic json property names in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Get-dynamic-json-property-names/m-p/277990#M53273 <P>I have some structured json logs that indicate some validation errors, and depending on the error, a different property is set with the value that caused the error. eg:</P> <P><CODE>{ "validationError": { "property" : { "title" : "" }, "errorType" : "Empty" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "category" : [] }, "errorType" : "Empty" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "category" : [ { "categoryId" : 12345 } ] }, "errorType" : "Invalid" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "thing" : { "thingId" : 9999 } }, "errorType" : "Disallowed" } }</CODE></P> <P>I would like to be able to retrieve the property name and its value: eg<BR /> <CODE>property | value | type</CODE><BR /> <CODE>---------+-------+-----------</CODE><BR /> <CODE>title | | Empty</CODE><BR /> <CODE>category | | Empty</CODE><BR /> <CODE>category | 12345 | Invalid</CODE><BR /> <CODE>thing | 9999 | Disallowed</CODE></P> Fri, 22 Jul 2016 06:21:34 GMT tmortiboy 2016-07-22T06:21:34Z Get dynamic json property names https://community.splunk.com/t5/Getting-Data-In/Get-dynamic-json-property-names/m-p/277990#M53273 <P>I have some structured json logs that indicate some validation errors, and depending on the error, a different property is set with the value that caused the error. eg:</P> <P><CODE>{ "validationError": { "property" : { "title" : "" }, "errorType" : "Empty" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "category" : [] }, "errorType" : "Empty" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "category" : [ { "categoryId" : 12345 } ] }, "errorType" : "Invalid" } }</CODE><BR /> <CODE>{ "validationError": { "property" : { "thing" : { "thingId" : 9999 } }, "errorType" : "Disallowed" } }</CODE></P> <P>I would like to be able to retrieve the property name and its value: eg<BR /> <CODE>property | value | type</CODE><BR /> <CODE>---------+-------+-----------</CODE><BR /> <CODE>title | | Empty</CODE><BR /> <CODE>category | | Empty</CODE><BR /> <CODE>category | 12345 | Invalid</CODE><BR /> <CODE>thing | 9999 | Disallowed</CODE></P> Fri, 22 Jul 2016 06:21:34 GMT https://community.splunk.com/t5/Getting-Data-In/Get-dynamic-json-property-names/m-p/277990#M53273 tmortiboy 2016-07-22T06:21:34Z Re: Get dynamic json property names https://community.splunk.com/t5/Getting-Data-In/Get-dynamic-json-property-names/m-p/277991#M53274 <P>So assuming your field is called yourField, I came up with the following (probably overcomplicated) query:</P> <PRE><CODE>| rex max_match=0 "(?m)(?&lt;yourField&gt;[^\n]+)" | fields - _raw | mvexpand yourField | spath input=yourField path=validationError.property output=propertyRaw | spath input=yourField path=validationError.errorType output=type | fields - yourField | spath input=propertyRaw | rex field=propertyRaw max_match=1 "(?msi)\"(?&lt;property&gt;[^\"]+)\"\s?:" | fields - propertyRaw | eval value = "" | eval temp = 'category{}.categoryId' | foreach * [ eval temp = if (match("&lt;&lt;FIELD&gt;&gt;", property), toString('&lt;&lt;FIELD&gt;&gt;'), "") | eval value = value . temp] | fields property, value, type | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = if(match(&lt;&lt;FIELD&gt;&gt;, "Null"), null(), &lt;&lt;FIELD&gt;&gt;) ] </CODE></PRE> <P>Example:</P> <PRE><CODE>| stats count | fields - count | eval _raw = " { \"validationError\": { \"property\" : { \"title\" : \"\" }, \"errorType\" : \"Empty\" } } { \"validationError\": { \"property\" : { \"category\" : [] }, \"errorType\" : \"Empty\" } } { \"validationError\": { \"property\" : { \"category\" : [ { \"categoryId\" : 12345 } ] }, \"errorType\" : \"Invalid\" } } { \"validationError\": { \"property\" : { \"thing\" : { \"thingId\" : 9999 } }, \"errorType\" : \"Disallowed\" } } " | rex max_match=0 "(?m)(?&lt;yourField&gt;[^\n]+)" | fields - _raw | mvexpand yourField | spath input=yourField path=validationError.property output=propertyRaw | spath input=yourField path=validationError.errorType output=type | fields - yourField | spath input=propertyRaw | rex field=propertyRaw max_match=1 "(?msi)\"(?&lt;property&gt;[^\"]+)\"\s?:" | fields - propertyRaw | eval value = "" | eval temp = 'category{}.categoryId' | foreach * [ eval temp = if (match("&lt;&lt;FIELD&gt;&gt;", property), toString('&lt;&lt;FIELD&gt;&gt;'), "") | eval value = value . temp] | fields property, value, type | foreach * [ eval &lt;&lt;FIELD&gt;&gt; = if(match(&lt;&lt;FIELD&gt;&gt;, "Null"), null(), &lt;&lt;FIELD&gt;&gt;) ] </CODE></PRE> <P>Output, see picture below:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1628i4D0F08F8507D1FAE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 25 Jul 2016 10:17:24 GMT https://community.splunk.com/t5/Getting-Data-In/Get-dynamic-json-property-names/m-p/277991#M53274 javiergn 2016-07-25T10:17:24Z