How do I access nested JSON?

tolikuznets — Wed, 15 Aug 2018 01:42:42 GMT

I have message that contains nested JSON inside which contains a message field that contains a Java exception

{xxxx: "some-fields-here",
    message:  {"logRecordType":"X",
"timestamp":"1533748762718","threadId":"42",,"message":"Background operation retry gave up
org.apache.zookeeper.KeeperException$SessionExpiredException: KeeperErrorCode = Session expired
    at org.apache.zookeeper.KeeperException.create(KeeperException.java:127)
    at org.apache.curator.framework.imps.CuratorFrameworkImpl.checkBackgroundRetry(CuratorFrameworkImpl.java:728)
    at org.apache.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:516)
    at org.apache.curator.framework.imps.GetChildrenBuilderImpl$2.processResult(GetChildrenBuilderImpl.java:166)
    at org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:615)
    at org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:519)"} 

more-json-fields
}

How do I access the nested message field? tried different variations of using spath but was never able to get the nested message, only the top-level message.
Ideally, I'd want to replace \n with ; so that it wouldn't mess up my output downstream.

Re: How do I access nested JSON?

niketn — Wed, 15 Aug 2018 06:59:55 GMT

@tolikuznets , try the following command

 <yourCurrentSearch>
| rex "\"message\":\"(?<message>[^\"]+)"

Following is a run anywhere search based on your sample data:

| makeresults
| eval _raw="{xxxx: \"some-fields-here\", message: {\"logRecordType\":\"X\", \"timestamp\":\"1533748762718\",\"threadId\":\"42\",,\"message\":\"Background operation retry gave up org.apache.zookeeper.KeeperException$SessionExpiredException: KeeperErrorCode = Session expired at org.apache.zookeeper.KeeperException.create(KeeperException.java:127) at org.apache.curator.framework.imps.CuratorFrameworkImpl.checkBackgroundRetry(CuratorFrameworkImpl.java:728) at org.apache.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:516) at org.apache.curator.framework.imps.GetChildrenBuilderImpl$2.processResult(GetChildrenBuilderImpl.java:166) at org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:615) at org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:519)\"} }"
| rex "\"message\":\"(?<message>[^\"]+)"

topic How do I access nested JSON? in Splunk Search

How do I access nested JSON?

Re: How do I access nested JSON?