<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to fetch value from nested JSON in Dashboards &amp; Visualizations</title>
    <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563354#M46366</link>
    <description>&lt;P&gt;Remove&lt;STRONG&gt; field=f&lt;/STRONG&gt; in your query. For &lt;STRONG&gt;field,&lt;/STRONG&gt; you need to specify the actual field name that exists in your index &lt;STRONG&gt;dev&lt;/STRONG&gt;. Or don't specify if you are extracting values from &lt;STRONG&gt;_raw&lt;/STRONG&gt; event.&lt;/P&gt;&lt;P&gt;Try without specifying &lt;STRONG&gt;field&lt;/STRONG&gt;:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index="dev" | rex "\"status\"\s:\s\"(?&amp;lt;status&amp;gt;\w+)\"" | stats count by status&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;If you have backslashes in your data then,&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index="dev" | rex "\"status\\\\\"\s:\s\\\\\"(?&amp;lt;status&amp;gt;[^\\\]+)"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Mon, 16 Aug 2021 03:27:34 GMT</pubDate>
    <dc:creator>manjunathmeti</dc:creator>
    <dc:date>2021-08-16T03:27:34Z</dc:date>
    <item>
      <title>How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563170#M46357</link>
      <description>&lt;P&gt;Hi team,&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;How can I get the value of 'status' from below payload in Splunk search.&lt;/P&gt;&lt;P&gt;{"log":" \"status\" : \"END\",","payload":"stdout","time":"2021-08-13T11:54:17.255787345Z"}&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks in Advance.&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 12:03:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563170#M46357</guid>
      <dc:creator>rkishoreqa</dc:creator>
      <dc:date>2021-08-13T12:03:38Z</dc:date>
    </item>
    <item>
      <title>Re: How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563195#M46358</link>
      <description>&lt;P&gt;hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225991"&gt;@rkishoreqa&lt;/a&gt;,&lt;BR /&gt;&lt;BR /&gt;Use &lt;STRONG&gt;rex&lt;/STRONG&gt; command.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| makeresults 
| eval f="{\"log\":\" \"status\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}" 
| rex field=f "\"status\"\s:\s\"(?&amp;lt;status&amp;gt;\w+)\""&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If this reply helps you, a like would be appreciated.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 14:04:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563195#M46358</guid>
      <dc:creator>manjunathmeti</dc:creator>
      <dc:date>2021-08-13T14:04:14Z</dc:date>
    </item>
    <item>
      <title>Re: How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563219#M46361</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090"&gt;@manjunathmeti&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I tried with below query, but it is not working.&amp;nbsp;&lt;/P&gt;&lt;P&gt;index="dev" |rex field=f "\"status\"\s:\s\"(?&amp;lt;status&amp;gt;\w+)\"" |stats count by status.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 16:48:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563219#M46361</guid>
      <dc:creator>rkishoreqa</dc:creator>
      <dc:date>2021-08-13T16:48:01Z</dc:date>
    </item>
    <item>
      <title>Re: How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563237#M46362</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225991"&gt;@rkishoreqa&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you please try this?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;YOUR_SEARCH
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?&amp;lt;status&amp;gt;.*)\\\\\","
| stats count by status&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My Sample Search :&lt;/STRONG&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| makeresults | eval _raw="{\"log\":\" \\\"status\\\" : \\\"END\\\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?&amp;lt;status&amp;gt;.*)\\\\\","
| stats count by status&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;&amp;nbsp;KV&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 18:39:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563237#M46362</guid>
      <dc:creator>kamlesh_vaghela</dc:creator>
      <dc:date>2021-08-13T18:39:47Z</dc:date>
    </item>
    <item>
      <title>Re: How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563239#M46363</link>
      <description>&lt;P&gt;Is this a one time use extraction, or do you need to do this extraction on a regular basis?&amp;nbsp;&amp;nbsp;&amp;nbsp; Also, is the JSON formatting always identical where it always begins with:&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;{"log":" \"status\" : \"END\" &lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If it's only a time time use, what if you treat the double-quotes as a delimiter of a multivalue string?&amp;nbsp;&amp;nbsp; Then the SPL will be something like below to spit out&amp;nbsp;&amp;nbsp; \"status\"&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| makeresults 
| eval aaa="{\"log\":\" \\\"status\\\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}" 
| eval aaa="\\\"".mvindex(split(aaa, "\""), 4)."\""&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 13 Aug 2021 19:10:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563239#M46363</guid>
      <dc:creator>williamchenyp</dc:creator>
      <dc:date>2021-08-13T19:10:52Z</dc:date>
    </item>
    <item>
      <title>Re: How to fetch value from nested JSON</title>
      <link>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563354#M46366</link>
      <description>&lt;P&gt;Remove&lt;STRONG&gt; field=f&lt;/STRONG&gt; in your query. For &lt;STRONG&gt;field,&lt;/STRONG&gt; you need to specify the actual field name that exists in your index &lt;STRONG&gt;dev&lt;/STRONG&gt;. Or don't specify if you are extracting values from &lt;STRONG&gt;_raw&lt;/STRONG&gt; event.&lt;/P&gt;&lt;P&gt;Try without specifying &lt;STRONG&gt;field&lt;/STRONG&gt;:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index="dev" | rex "\"status\"\s:\s\"(?&amp;lt;status&amp;gt;\w+)\"" | stats count by status&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;If you have backslashes in your data then,&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index="dev" | rex "\"status\\\\\"\s:\s\\\\\"(?&amp;lt;status&amp;gt;[^\\\]+)"&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 16 Aug 2021 03:27:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Dashboards-Visualizations/How-to-fetch-value-from-nested-JSON/m-p/563354#M46366</guid>
      <dc:creator>manjunathmeti</dc:creator>
      <dc:date>2021-08-16T03:27:34Z</dc:date>
    </item>
  </channel>
</rss>

