topic Re: How to print multiple JSON root elements? in Getting Data In

How to print multiple JSON root elements?

amirrachman — Sat, 13 Apr 2019 06:55:42 GMT

Hi,

I've data like this

{
"container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
"container_name":"nginx",
"name":"eventBase0"
}
{
"name":"eventBase1",
"hostname":"google.com",
"pid":7
}

This above format are contain 2 multiple json root elements which second value "eventBase1" not shown on interesting fields in splunk dashboard. My output format is i want to get the second value and print on a table such as below.

+++++++++++++++++++++++++++++++
+++ name | hostname | pid +++

Thanks

Re: How to print multiple JSON root elements?

woodcock — Sat, 13 Apr 2019 17:49:09 GMT

Like this:

| makeresults 
| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
    }
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| rex mode=sed "s/([\r\n\s]+\})([\r\n\s]+\{[\r\n\s]+)/\1::::{\n/g"
| rename _raw AS raw
| makemv delim="::::" raw
| mvexpand raw 
| rename raw AS _raw
| spath

Re: How to print multiple JSON root elements?

amirrachman — Wed, 30 Sep 2020 00:09:42 GMT

For this command above, i need to concat all string with "\", the line of json format are very long, above is only example code, is there any other way to get only for second json root elements ?

| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
}
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

Re: How to print multiple JSON root elements?

harshpatel — Mon, 15 Apr 2019 05:35:08 GMT

Hi @amirrachman The problem here is you don't have your data as correct JSON format that's why Splunk couldn't extract those fields... If you want auto extraction you should have the following format in your case:

[{
     "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
     "container_name":"nginx"
     },
     {
     "name":"eventBase1",
     "hostname":"google.com",
     "pid":7
     }]

i.e. JSON array

Re: How to print multiple JSON root elements?

amirrachman — Mon, 15 Apr 2019 07:12:37 GMT

hi @harshpatel yes, in this case, the logs is not have correct json format, for reformating, yes I create an concat array, then how i got the second value which I want ?

{
 "name":"eventBase1",
 "hostname":"google.com",
 "pid":7
 }

Re: How to print multiple JSON root elements?

harshpatel — Mon, 15 Apr 2019 07:26:53 GMT

Hi @amirrachman ,

You can either manually extract it at search time using rex command like:

| rex field=_raw "\"name\":\"(?<name>\w+)\""

OR
You can reformat your data so that it is in proper JSON format so Splunk can auto extract fields for you. I would recommend the latter.

Re: How to print multiple JSON root elements?

amirrachman — Mon, 15 Apr 2019 09:05:49 GMT

Hi @harshpatel, the json that I've is like below.
so I have both "name" field on the json files (I just revise my question on above). within those both "name", i want to take "name" on second value "eventBase1"

{
    "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
    "container_name":"nginx",
    "name":"eventBase0"
    }
    {
    "name":"eventBase1",
    "hostname":"google.com",
    "pid":7
    }

Re: How to print multiple JSON root elements?

harshpatel — Mon, 15 Apr 2019 09:30:31 GMT

Try this:

| rex field=_raw "{\s*\"name\":\"(?<name>\w+)\""

Re: How to print multiple JSON root elements?

amirrachman — Mon, 15 Apr 2019 15:00:19 GMT

Thank @harshpatel it's working perfect as I want

Re: How to print multiple JSON root elements?

woodcock — Mon, 15 Apr 2019 15:13:15 GMT

You are TOTALLY missing the point. Read the line that is singled out. It says Everything above generates sample events; everything below is your solution. You only need the stuff below that line, the portion that begins with | rex ....