All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract fields with JSON values while creating a DB input in Splunk DB Connect?

gsrivastava
Explorer
‎09-18-2017 02:34 AM
  • I am creating a DB Input in DB Connect v3
  • My DB columns contains JSON values.
  • I am getting correct raw data in Splunk, but on selecting Table mode, the field does not have correct values. for ex, if the column name is status and the JSON it contains is : "[{"datasetId":1,"refreshStatus":16}]", then the field created in splunk is status but it only contains the value : '[{'.
  • All the rows in Splunk contains this same value '[{'
  • May be Splunk is using double quote as a delimiter to separate fields, but the JSON itself contains the quotes.
0 Karma
Reply

stefan_d
Path Finder
‎07-31-2018 07:21 AM

Hi there!

Have you managed to solve this problem?
I also have a similar issue, is it possible to grab the JSON data from a column in your DB input?

0 Karma
Reply

gsrivastava
Explorer
‎10-24-2017 10:45 PM

May be this happens because Splunk IFX uses comma(,) as a default delimiter to separate and extract fields but the JSON itself contains commas(,) , therefore the default regex which is generated separates the field when it encounters the first comma(,) .
So to extract any JSON field, one has to edit the original regex and make any changes required to extract the entire JSON field instead of '[}'

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-20-2017 06:18 PM

Hello gsrivastava . I am seeing my fields with the JSON. Try SELECT field and then do | table field

I am seeing {"key":"value,"key2":"value2"} etc.

Maybe you can show your SELECT with LIMIT 1 and the output you get.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-18-2017 05:13 PM

I am using DB Connect 2.4.0 with JSON data. A sample might be.

"record":{"subfield1":"value1","subfield2","value2"}

I use "SELECT record['subfield1'] AS subfield1.. WHERE record['subfield'] IS NOT NULL" to get the value.

And if subfield1 itself is JSONlike then I do something like rex field=subfield1 "\"somefield\":(?<somefieldT>.*?)[,}]" in order to get somefield out.

0 Karma
Reply

gsrivastava
Explorer
‎09-19-2017 01:53 AM

Thanks @burwell for responding. But I want complete json in a field and handle that json in splunk itself.
Sample JSON array is-

[  
   {  
      "set":3,
      "ids":[  
         9
      ],
      "status":12,
      "code":570,
      "idDetails":[  
         {  
            "id":9,
            "status":12,
            "code":570
         }
      ]
   },
   {  
      "set":1,
      "ids":[  
         5,
         8
      ],
      "status":21,
      "code":601,
      "idDetails":[  
         {  
            "id":5,
            "status":21,
            "code":601
         },
         {  
            "id":8,
            "status":21,
            "code":601
         }
      ]
   }
]

With this kind of nested JSON and with multiple keys having the same name, its not possible to extract all the fields in SQL itself.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...