How to extract a field out of JSON, and then use to get a count

chktlm — Wed, 20 Nov 2019 17:39:00 GMT

Hi. I am trying to get a count on the first field within my logs, of the requestBody json input. Below is an example of the log:

2019-11-20 17:20:03,802 INFO  [qqq1000000-10000] web.service.logging.IncomingRequest: ip=00.00.00.000, domain=http://url:0000/webService/web/Service/, username=null, date=[20/Nov/2019:17-20-03,802 +0000], method=POST uri=/webService/web/Service?schema=1.0&form=JSON&httpError=true&cid=12345, status=200, contentLength=68, responseTime=190, userAgent=WebServiceClient<Service> 3.5, referrer=, cacheStatus=miss, cid=12345 requestBody={"createPerson":{"customerId":"55555555.customer"}}, x-accountexternalid=987654321, api=service.create, x-partner=Partner, cid=12345

How would I grab the first entry in the JSON of the requestBody element, and then make that a field, so I can get a count. From the example above, I would want to grab createPerson from the requestBody section. Make this a field so I can then grab a count of the incoming requestBody first element? There would be other fields besides just createPerson. So I just want to extract that field within the quote, and get the count for each different element that is in that position of our incoming requests.

Re: How to extract a field out of JSON, and then use to get a count

mayurr98 — Wed, 20 Nov 2019 18:18:25 GMT

try this:

...| rex "requestBody=\{\"(?<requestBody>\w+)" | stats count by requestBody

Re: How to extract a field out of JSON, and then use to get a count

chktlm — Mon, 25 Nov 2019 14:40:56 GMT

Thank you very much mayurr98. Worked perfectly!

topic Re: How to extract a field out of JSON, and then use to get a count in Splunk Search

How to extract a field out of JSON, and then use to get a count

Re: How to extract a field out of JSON, and then use to get a count

Re: How to extract a field out of JSON, and then use to get a count