https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532183#M150336 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp; I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named.&nbsp;</P> Mon, 07 Dec 2020 13:02:04 GMT kmaron 2020-12-07T13:02:04Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/531922#M150259 <P>I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped.</P><P>I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule.&nbsp;</P><P>My event looks like this:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ [-] clientSslProfiles: { [+] } deviceGroups: { [+] } httpProfiles: { [+] } iRules: { [-] /Department/Shared/Department_HTML_rewrite_Rule: { [-] application: Shared events: { [-] CLIENT_ACCEPTED: { [+] } HTML_TAG_MATCHED: { [+] } HTTP_REQUEST: { [+] } HTTP_RESPONSE: { [-] aborts: 0 avgCycles: 28338 failures: 0 maxCycles: 1882653 minCycles: 8898 priority: 550 totalExecutions: 86269 } } name: /Department/Shared/Department_HTML_rewrite_Rule tenant: Department } /Common/Office-Rule: { [+] } /Common/Debug-Rule: { [+] .....</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Dec 2020 20:46:17 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/531922#M150259 kmaron 2020-12-03T20:46:17Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532099#M150314 <P>Why don't you <STRONG>spath </STRONG>and<STRONG> table</STRONG>?</P> Sat, 05 Dec 2020 07:00:53 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532099#M150314 to4kawa 2020-12-05T07:00:53Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532183#M150336 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp; I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named.&nbsp;</P> Mon, 07 Dec 2020 13:02:04 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532183#M150336 kmaron 2020-12-07T13:02:04Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532291#M150369 <P>The command cannot be applied firmly because there is no log of <STRONG>_raw</STRONG>, but<STRONG> spath output=</STRONG> should be fine.</P> Tue, 08 Dec 2020 08:30:54 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532291#M150369 to4kawa 2020-12-08T08:30:54Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532327#M150377 <P>I don't understand what you're saying.&nbsp; &nbsp;I need to pull out only the avgCycles and totalExecutions for every iRule, attached to the name of the iRule.&nbsp; but I do not know how many there are, or what they are named. spath is just the start. It doesn't do the extraction or allow me to isolate those fields when I don't know the iRule names.&nbsp;</P> Tue, 08 Dec 2020 13:12:52 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532327#M150377 kmaron 2020-12-08T13:12:52Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532397#M150402 <P>I can't make a regular expression because you're only presenting the processed log. Also, there are no multiple logs.</P> Tue, 08 Dec 2020 21:21:36 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-from-nested-JSON-event/m-p/532397#M150402 to4kawa 2020-12-08T21:21:36Z