topic Re: How to parse JSON in Splunk? in Getting Data In

How to parse JSON in Splunk?

SuganyaSSF — Tue, 21 Mar 2017 13:22:50 GMT

Hi ,

I am using the Splunk REST API to call a rest service and i need to parse the data to Splunk.

We are getting the response like this

[{"port":"port1" , "version" :"1.o"},{"port":"port1" , "version" :"1.o"}]

However when i index this data to a JSON source type, i am not able to see the data in JSON format clearly and getting an response like this

[ [-] 
   { [+] 
   } 
   { [+] 
   } 
]

But if save the response to a JSON file and add that as input, we are able to get the data in correct format in Splunk.
Do we have a way to fix this?

Re: How to parse JSON in Splunk?

chuckers — Fri, 24 Mar 2017 20:55:18 GMT

Try a variant of this.

| rex "(?<json_blob>{.*})" | spath input=json_blob

You might need to tweak it a little to deal with the square brackets, but the idea is that the rex function isolates the json and then the spath parses out all the values.

Re: How to parse JSON in Splunk?

martin_mueller — Fri, 07 Apr 2017 12:43:51 GMT

Do you see your data when you expand the objects by clicking the plus icon?