topic Re: Retrive only the key object from the json output in Getting Data In

Retrive only the key object from the json output

JyotiP — Wed, 18 Sep 2019 12:15:33 GMT

I have the following output and I want to extract only the key value of the JSON and those are addNewOrder,navigateReport etc in a table.

Details: {
    addNewOrder: {
       dur: 7706ms
       end: Wed Sep 18 2019 14:38:48 GMT+0530 (India Standard Time)
       navigationAPIData: {
         connectEnd: 1568797694032
         connectStart: 1568797694032
         domComplete: 1568797694775
         domContentLoadedEventEnd: 1568797694542
         domContentLoadedEventStart: 1568797694542
         domInteractive: 1568797694542
         domLoading: 1568797694255
         domainLookupEnd: 1568797694032
         domainLookupStart: 1568797694032
         fetchStart: 1568797694032
       }
        start: Wed Sep 18 2019 14:38:40 GMT+0530 (India Standard Time)
     }
    login: {
       dur: 7046ms
       end: Wed Sep 18 2019 14:38:17 GMT+0530 (India Standard Time)
       navigationAPIData: { 
       connectEnd: 1568797694032
         connectStart: 1568797694032
         domComplete: 1568797694775
         domContentLoadedEventEnd: 1568797694542
         domContentLoadedEventStart: 1568797694542
         domInteractive: 1568797694542
         domLoading: 1568797694255
         domainLookupEnd: 1568797694032
         domainLookupStart: 1568797694032
         fetchStart: 1568797694032
       }
       }
    navigateReport: { 
       dur: 2804ms
       end: Wed Sep 18 2019 14:38:28 GMT+0530 (India Standard Time)
     }   
    navigateOrder: {
       dur: 1804ms
       end: Wed Sep 18 2019 14:38:23 GMT+0530 (India Standard Time)
       }
    openNewOrder: { 
       dur: 1700ms
       end: Wed Sep 18 2019 14:38:33 GMT+0530 (India Standard Time)
       }
    openUrl: {
       dur: 3011ms
       end: Wed Sep 18 2019 14:38:00 GMT+0530 (India Standard Time)
       }
    }

Re: Retrive only the key object from the json output

kamlesh_vaghela — Wed, 18 Sep 2019 12:20:28 GMT

@JyotiP
Can you please share valid JSON event and your expected output?

Re: Retrive only the key object from the json output

JyotiP — Wed, 18 Sep 2019 12:27:41 GMT

@kamlesh_vaghela the JSON output is too big, I only want to select the Kep value and put them in the table,
addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl

Re: Retrive only the key object from the json output

klischatb — Wed, 18 Sep 2019 12:47:05 GMT

have u tried field extractions with regex like : dur:\s(?(\d{1,4}))

Re: Retrive only the key object from the json output

JyotiP — Wed, 18 Sep 2019 12:55:02 GMT

Tried, but not working

Re: Retrive only the key object from the json output

JyotiP — Wed, 18 Sep 2019 12:57:31 GMT

@kamlesh_vaghela I have updated the JSON

Re: Retrive only the key object from the json output

kamlesh_vaghela — Thu, 19 Sep 2019 06:02:19 GMT

Thanks @JyotiP

It would be better if a single sample event from _raw. Like below

 {"trx":[{"type":"y","src":"x","htlids":[{"htlid":"XX123456","errCode":"1257"}]},{"type":"y","src":"x","htlids":[{"htlid":"YY123456","errCode":"1257"}]}],"ClientId":245860224012578433,"SeqNb":3102,"Type":"RsMonitor","Epoch":1568798767432}

Another question:
Your all mentioend fields addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl have other fields. Do you need any specific fields like dur from these fields?

Re: Retrive only the key object from the json output

JyotiP — Thu, 19 Sep 2019 10:47:18 GMT

@kamlesh_vaghela nope I want to select only the above-mentioned value in a table.

Re: Retrive only the key object from the json output

jkat54 — Thu, 19 Sep 2019 11:20:58 GMT

Check out extended examples number 2 & 3 here:

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

You need to spath, rename, zip, and then mvexpand. It's tricky but well documented. Follow the steps.