topic How do I perform field extraction and index the data contained in the one detail field which is json within json? in Splunk Search

How do I perform field extraction and index the data contained in the one detail field which is json within json?

jet — Thu, 18 Aug 2022 04:50:21 GMT

I have a modular input to write to Splunk using

event = Event()

event.data = json.dumps(data)

ew.write_event(event)

This all works fine except that in some event.data records there is a detail field that also contains data in json format which is written to Splunk as a string.

How do I perform field extraction and index the data contained in the one detail field which is json within json?

Re: Json within Json in a modular input...

yuanliu — Thu, 18 Aug 2022 04:16:16 GMT

As I often remind people, it is much easier for others to help if they can see sample data.

The answer to your question really depends on how the JSON string is escaped. In the simplest situation, spath is sufficient. In the following example, field c is already conformant.

| spath input=c

_raw	a	b	c	i1	i2
{"a":1,"b":2,"c":"{\"i1\":4,\"i2\":5}"}	1	2	{"i1":4,"i2":5}	4	5

Re: Json within Json in a modular input...

jet — Thu, 18 Aug 2022 05:32:42 GMT

Thanks!

In the attached simple example, the detail field contains json which ideally I would like indexed....

Re: Json within Json in a modular input...

yuanliu — Thu, 18 Aug 2022 05:49:11 GMT

All you need is to replace input=c with input=detail in my sample code, i.e.,

| spath input=detail

Re: Json within Json in a modular input...

jet — Thu, 18 Aug 2022 20:38:28 GMT

Awesome! Is there anyway to set that as a default from a modular input?

Re: Json within Json in a modular input...

yuanliu — Thu, 18 Aug 2022 21:44:25 GMT

By modular input you mean a sourcetype and such? No. (Maybe you can submit as an idea at ideas.splunk.com. There was another very recent question of a similar nature.)