topic Re: Extract part of JSON object with its child or nested attributes in Splunk Search

Extract part of JSON object with its child or nested attributes

imprabha1989 — Thu, 26 Nov 2020 14:31:50 GMT

Hi All,

Our data ingested into our Index are in proper JSON format & Splunk is converting into JSON object automatically , but I'm unable to extract/access any of the child object along with its nested attributes.

Example :

{
"name": "notificationService",
"requestId": "ee76e5cf-90cc-521f-bc96-bdf6f39f5bc8",
"parsedEvent": {
"event": {
"eventName": "Notification",
"timestamp": "2020-11-26T18:55:14.000+11:00",
"delivery": "NotifierSystem",
"notificationEventType": "EMAIL"
},
"metadata": {
"correlationId": "1603246877854"
}
},
"msg": "Starting to process event",
"time": "2020-11-26T08:02:39.123Z"
}

Search query : .... | table requestId, name, parsedEvent.metadata.correlationId, parsedEvent.event

Is getting me :

ee76e5cf-90cc-521f-bc96-bdf6f39f5bc8,notificationService, 1603246877854,<blank>

If you see, I'm not able to get the "parsedEvent.event" object along with its child attributes, but i'm able to access "parsedEvent.metadata.correlationId" successfully which doesn't have any child.

Any help would be appreciated.

Thanks in Advance.

Re: Extract part of JSON object with its child or nested attributes

ITWhisperer — Thu, 26 Nov 2020 15:11:39 GMT

Does this work for getting the eventName? That is, has the full extraction worked down to the lowest level?

table requestId, name, parsedEvent.metadata.correlationId, parsedEvent.event.eventName

Re: Extract part of JSON object with its child or nested attributes

imprabha1989 — Fri, 27 Nov 2020 08:12:24 GMT

@ITWhisperer

Yes, the full extraction to the lowest level is/are working. But it I want the whole event object with its nested attributes. We can use rex operation on _raw data but looking for something that can help us easily access it as we normally do with in JSON objects or something that converts pointed JSON object to a string.

Re: Extract part of JSON object with its child or nested attributes

ITWhisperer — Fri, 27 Nov 2020 08:20:41 GMT

Reparse _raw for the object you want

| spath path=parsedEvent.event

Re: Extract part of JSON object with its child or nested attributes

to4kawa — Fri, 27 Nov 2020 23:55:15 GMT

index=_internal | head 1 | fields _raw | eval _raw="{\"name\":\"notificationService\",\"requestId\":\"ee76e5cf-90cc-521f-bc96-bdf6f39f5bc8\",\"parsedEvent\":{\"event\":{\"eventName\":\"Notification\",\"timestamp\":\"2020-11-26T18:55:14.000+11:00\",\"delivery\":\"NotifierSystem\",\"notificationEventType\":\"EMAIL\"},\"metadata\":{\"correlationId\":\"1603246877854\"}},\"msg\":\"Starting to process event\",\"time\":\"2020-11-26T08:02:39.123Z\"}" | spath parsedEvent output=parsedEvent | spath input=parsedEvent event output=nest_event | spath input=parsedEvent metadata output=nest_metadata

Splunk deploys everything, so you'll have to do it yourself to put it together