topic Re: How to extract value from search response which has a text plus json? in Splunk Search

How to extract value from search response which has a text plus json?

aliosa — Thu, 24 Aug 2023 19:15:56 GMT

Hello

I am beginner with Splunk.
I made a query and my search result is like

text1 text2 text3 response: { "status":"UP", "object1":{ "field1":"name1", "status":"UP" }, "object2":{ "field2":"name2", "status":"UP" }, "object3":{ "object4":{ "field4":"name4", "status":"UP" }, "object5":{ "field5":"name5", "status":"UP" }, "status":"UP" }, "object6":{ "field6":"name6", "status":"UP" } }

I want to obtain the value for object3.status for a column of table.
How to do this ?
With rex field=_raw or spath ?

Thank you in advance.

Re: How to extract value from search response which has a text plus json?

ITWhisperer — Fri, 25 Aug 2023 08:49:32 GMT

| rex "response: (?s)(?<response>.*)" | spath input=response object3.status output=status | table status

Re: How to extract value from search response which has a text plus json?

aliosa — Fri, 25 Aug 2023 06:53:20 GMT

Hello
That json come in search response in multiple lines.
This is not working for me

rex "response: (?<response>.*)"
because response is "{".

Maybe rex should ignore new line characters (\n) to solve this situation.

and response would be all json {....}

Re: How to extract value from search response which has a text plus json?

aliosa — Fri, 25 Aug 2023 08:27:09 GMT

Hello
I use

| rex "response: (?s)(?<response>.*)"
| spath input=response object3{}.status output=status
| table response, status
and it works.

Any better idea ?

Re: How to extract value from search response which has a text plus json?

ITWhisperer — Fri, 25 Aug 2023 08:50:58 GMT

I have updated my response.

If it works, this is probably the easiest way to do it. Any other method is likely to be more complex.

Re: How to extract value from search response which has a text plus json?

aliosa — Sat, 26 Aug 2023 10:34:19 GMT

thank you.