Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to fetch value from nested JSON
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a one time use extraction, or do you need to do this extraction on a regular basis? Also, is the JSON formatting always identical where it always begins with:
{"log":" \"status\" : \"END\"
If it's only a time time use, what if you treat the double-quotes as a delimiter of a multivalue string? Then the SPL will be something like below to spit out \"status\"
| makeresults
| eval aaa="{\"log\":\" \\\"status\\\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| eval aaa="\\\"".mvindex(split(aaa, "\""), 4)."\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a one time use extraction, or do you need to do this extraction on a regular basis? Also, is the JSON formatting always identical where it always begins with:
{"log":" \"status\" : \"END\"
If it's only a time time use, what if you treat the double-quotes as a delimiter of a multivalue string? Then the SPL will be something like below to spit out \"status\"
| makeresults
| eval aaa="{\"log\":\" \\\"status\\\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| eval aaa="\\\"".mvindex(split(aaa, "\""), 4)."\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
YOUR_SEARCH
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?<status>.*)\\\\\","
| stats count by status
My Sample Search :
| makeresults | eval _raw="{\"log\":\" \\\"status\\\" : \\\"END\\\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| rex field=_raw "\\\\\"status\\\\\"\s\:\s\\\\\"(?<status>.*)\\\\\","
| stats count by status
KV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @rkishoreqa,
Use rex command.
| makeresults
| eval f="{\"log\":\" \"status\" : \"END\",\",\"payload\":\"stdout\",\"time\":\"2021-08-13T11:54:17.255787345Z\"}"
| rex field=f "\"status\"\s:\s\"(?<status>\w+)\""
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried with below query, but it is not working.
index="dev" |rex field=f "\"status\"\s:\s\"(?<status>\w+)\"" |stats count by status.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remove field=f in your query. For field, you need to specify the actual field name that exists in your index dev. Or don't specify if you are extracting values from _raw event.
Try without specifying field:
index="dev" | rex "\"status\"\s:\s\"(?<status>\w+)\"" | stats count by statusIf you have backslashes in your data then,
index="dev" | rex "\"status\\\\\"\s:\s\\\\\"(?<status>[^\\\]+)"
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
