Extract value from JSON array of objects

AlexMcDuffMille — Tue, 18 Aug 2015 17:53:30 GMT

I have a JSON object that has an array inside of it. The array is a list of objects, not just a list of values. See below for an example.

I want to extract the 'duration' field for each event when the name is 'responseTime'. Does anyone know how to do that? I can also assume that it's always going to be the 2nd entry in the list, so if I could do something like Timings[1] that would work. I can't seem to get spath to work because I'm looking for an item within an array.

In the end, I would like to do something like graph/table the duration of the 'providerTime' and the 'responseTime'

{
    Timings: [ 
      { 
         duration:  218 
         name:  providerTime
      } 
      { 
         duration:  204 
         name:  responseTime
      } 
    ] 
 }

Re: Extract value from JSON array of objects

somesoni2 — Tue, 18 Aug 2015 22:17:41 GMT

My answer will assume following
1) The data is ingested as proper JSON and you should be seeing multivalued field for your array elements (KV_MODE = json)
2) As you said, responseTime is the 2nd element in and it appears only one.

So try something like this

your base search  | table Timings{}.* | eval temp=mvzip('Timings{}.duration','Timings{}.name',"##") | eval ResponseTime=mvindex(split(mvfilter(match(temp,".*##responseTime")),"##"),0)

topic Extract value from JSON array of objects in Splunk Search

Extract value from JSON array of objects

Re: Extract value from JSON array of objects