All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the data present in curly braces {} in Splunk Search?

zen29d
Explorer
‎06-12-2022 11:55 PM

If the data present in json format {[]} get extracted, however when data present in {} as shown below doesn't behave same. How fields and values can be extracted from data in {}

_raw data:

{"AlertEntityId": "abc@domai.com", "AlertId": "21-3-1-2-4--12", "AlertType": "System", "Comments": "New alert", "CreationTime": "2022-06-08T16:52:51", "Data": "{\"etype\":\"User\",\"eid\":\"abc@domai.com\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"abc@domai.com\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Jeff Nichols <jeff@Nichols.com>\",\"sip\":\"1.2.3.4\",\"srt\":\"1\",\"trc\":\"abc@domai.com\",\"ms\":\"Grok - AI/ML summary, case study, datasheet\",\"lon\":\"UserSubmission\"}"}

When I perform query "| table Data", I get the below result, But how to get values of "eid", "tsd".

{"etype":"User","eid":"abc@domai.com","op":"UserSubmission","tdc":"1","suid":"abc@domai.com","ut":"Regular","ssic":"0","tsd":"Jeff Nichols <jeff@Nichols.com>","sip":"1.2.3.4","srt":"1","trc":"abc@domai.com","ms":"Grok - AI/ML summary, case study, datasheet","lon":"UserSubmission"}

Labels (2)
Labels
Tags (2)
0 Karma
Reply

zen29d
Explorer
‎06-13-2022 12:39 AM

Requirement is 
Data.eid should give the value "abc@domai.com"
Data.tsd should give the value "Jeff Nichols<jeff@Nichols.com>"

I tried above query with below combination, but none of them give result.
| spath input=Data 
| spath output=sender path=Data.tsd

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 12:02 AM 
| spath input=Data
0 Karma
Reply

zen29d
Explorer
‎06-13-2022 12:26 AM

Not working.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 12:31 AM

In what way?

0 Karma
Reply

zen29d
Explorer
‎06-13-2022 12:51 AM

Requirement is 
Data.eid should give the value "abc@domai.com"
Data.tsd should give the value "Jeff Nichols<jeff@Nichols.com>"

I tried above query with below combination, but none of them give result.
| spath input=Data 
| spath output=sender path=Data.tsd

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 01:11 AM 
| makeresults
| fields - _time
| eval _raw="{\"AlertEntityId\": \"abc@domai.com\", \"AlertId\": \"21-3-1-2-4--12\", \"AlertType\": \"System\", \"Comments\": \"New alert\", \"CreationTime\": \"2022-06-08T16:52:51\", \"Data\": \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"abc@domai.com\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"abc@domai.com\\\",\\\"ut\\\":\\\"Regular\\\",\\\"ssic\\\":\\\"0\\\",\\\"tsd\\\":\\\"Jeff Nichols &lt;jeff@Nichols.com&gt;\\\",\\\"sip\\\":\\\"1.2.3.4\\\",\\\"srt\\\":\\\"1\\\",\\\"trc\\\":\\\"abc@domai.com\\\",\\\"ms\\\":\\\"Grok - AI/ML summary, case study, datasheet\\\",\\\"lon\\\":\\\"UserSubmission\\\"}\"}"
| spath
| spath input=Data
| eval tsd=replace(tsd,"&lt;","<")
| eval tsd=replace(tsd,"&gt;",">")
Reply

zen29d
Explorer
‎06-13-2022 08:01 PM

Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...