How to regex over nested jsons with foreach and rex?

neuromantik — Wed, 30 Sep 2020 03:55:11 GMT

Hi everyone,

Currently I have a log record in the form of nested jsons, not arrays of jsons:

{"root_key": {"subkey_0": {nested json string}, ... , "subkey_N": {nested json string}}}

I want to extract some fields with rex from each subkey json string.
Is it possible somehow to accomplish this by foreach and rex?

Something like this pseudocode:

foreach subkey:
    (field_value_0, ... field_value_M) <--- rex(subkey json string)

The goal is to build the following list:

[
    [field_value_0, ... field_value_M],
    ...
    [field_value_0, ... field_value_M]
]

And to display it with table command.

Re: How to regex over nested jsons with foreach and rex?

to4kawa — Sat, 25 Jan 2020 23:21:17 GMT

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

topic How to regex over nested jsons with foreach and rex? in Splunk Search

How to regex over nested jsons with foreach and rex?

Re: How to regex over nested jsons with foreach and rex?