Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can you help us parse the following JSON ?

saranya12
New Member
‎01-21-2019 10:51 AM

i have tried the spath command, but no results. I would like to display the below data into a table as shown below:

10:40:19.682 INFO  com.sample.splunk.service.splunkService - Splunk_SampleJson —>{“fileNamesList:[{“fileName”:”fileName1.zip"},{"fileName":"fileName2.zip”},{“fileName":"fileName3.zip”}]} I wanted to get data in table format

FileName
——————
fileName1
fileName2
FileName3

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-21-2019 12:03 PM

Thats probably because spath works on pure json data and your long entry is not pure json (it has those timestamps and other info before the json portion). You can extract the json portion into a new field and use spath on that, e.g.

your base search | rex "^([^\{]+)(?<jsondata>.+)$" | spath input=jsondata

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-21-2019 02:15 PM

Like this:

| makeresults 
|  eval _raw="10:40:19.682 INFO com.sample.splunk.service.splunkService - Splunk_SampleJson —>{\"fileNamesList:[{\"fileName\":\"fileName1.zip\"},{\"fileName\":\"fileName2.zip\"},{\"fileName\":\"fileName3.zip\"}]}"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex max_match=0 "\"fileName\":\"(?<fileName>[^\"]+)"
| table fileName
| mvexpand fileName

You may not need the last line (try with and without).

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-21-2019 12:03 PM

Thats probably because spath works on pure json data and your long entry is not pure json (it has those timestamps and other info before the json portion). You can extract the json portion into a new field and use spath on that, e.g.

your base search | rex "^([^\{]+)(?<jsondata>.+)$" | spath input=jsondata
0 Karma
Reply
Solved! Jump to solution

saranya12
New Member
‎01-21-2019 12:30 PM

Thank you worked for me , adding complete search query it might help some one 

my base search | rex "^([^\{]+)(?<jsondata>.+)$" |spath input=jsondata output=fileName path=fileNamesList{}.fileName |table fileName
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-21-2019 01:55 PM

Thanks for sharing your working search. Please remember to format your searches/code snippet by selecting the query and clicking on "101010" button on the top of the text area.

Please mark this question answered by accepting this as an answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...