topic Re: How to extract value from log events with type as json object or json array?? in Splunk Search

How to extract value from log events with type as json object or json array??

bhavika100 — Mon, 12 Jul 2021 22:12:59 GMT

Our event log has request and response. Request and response body can either be a json object or json array. I need to extract resquest.body and response.body to construct a field "httpdetails" which is a string . How can i achieve this using single spath function.

example of log events :

{ "message": { "request": { "body": {} }, "response": { "body": [ { "id": "85118db6-2d5c-6bb0-ff67-5bc9ef5d4a1f", "createdon": "2021-07-08T00:37:02.512Z" } ] } } }

{ "message": { "request": { "body": { "$limitafter": "2021-07-08T20:08:29.983Z" } }, "response": { "statuscode": 200, "body": { "count": "22" } } } }

Splunk query :

| spath output=response_data message.response.body | spath output=request_data message.request.body | eval request_data=if(isnull(request_data) , NULL , request_data) | eval response_data=if(isnull(response_data), NULL, response_data) | eval httpdetails="\n"+request_data+"\n-----------------Response---------------\n"+response_data, httpdetails = split(httpdetails,"\n") | eval details=if(isnotnull(httpdetails), httpdetails, details)

After running this query "httpdetails" is shown below. Here response_data for first log event is coming as NULL instead of object array. How can I fix this??

Re: How to extract value from log events with type as json object or json array??

venkatasri — Tue, 13 Jul 2021 05:05:42 GMT

Hi @bhavika100

Can you try this, I would have done this much cleaner however your json payload is so dynamic with arrays and field names change.

| eval req=replace(json_extract(_raw, "message.request"),"body","") | eval res=replace(json_extract(_raw, "message.response"),"body","") | eval httpdetails="\n"+req+"\n-----------------Response---------------\n"+res, httpdetails = split(httpdetails,"\n") | eval details=if(isnotnull(httpdetails), httpdetails, details) | table details

You can further truncate {" if you want much cleaner, response does come-up with this SPL.

---

An upvote would be appreciated and Accept Solution if this reply helps!

Re: How to extract value from log events with type as json object or json array??

bhavika100 — Fri, 16 Jul 2021 00:45:31 GMT

Hi @venkatasri Thanks for the quick resposne. This solution works fine for the above logs. I tried to implement the same in my query but fails when either request or response body is null. Log event is as below.

log event:

{ "message": { "request": { "body": null }, "response": { "statuscode": 200, "body": { "id": "e4214ec1-3d16-6083-ec11-beb01188ddaf" } } } }

details is coming as empty for this log event.

Re: How to extract value from log events with type as json object or json array??

venkatasri — Fri, 16 Jul 2021 01:01:30 GMT

@bhavika100 Sure thing let me find out.

Re: How to extract value from log events with type as json object or json array??

venkatasri — Fri, 16 Jul 2021 01:08:48 GMT

@bhavika100 I have tried your new payload there message.request.body = null hence same has been showing in output as null below and response is fine.

---

An upvote would be appreciated if this reply helps!

Re: How to extract value from log events with type as json object or json array??

bhavika100 — Fri, 16 Jul 2021 15:10:52 GMT

This works!!