Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Extract data from Jason
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract data from Jason
ppanchal
Path Finder
01-31-2018
12:19 PM
Hi,
I want to extract fields like date, site, etc from the below log (jason), how can I do this?
[{"date":"2018-01-30","site":"S01027","routePublishCount":"17","routeCount":"97","customerCount":"931"},{"date":"2018-01-30","site":"S02923","routePublishCount":"16","routeCount":"119","customerCount":"1248"},{"date":"2018-01-30","site":"S03175","routePublishCount":"14","routeCount":"79","customerCount":"701"},{"date":"2018-01-30","site":"S03422","routePublishCount":"24","routeCount":"146","customerCount":"1486"}]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-31-2018
10:45 PM
hey try this run anywhere search
| makeresults
| eval _raw="[{\"date\":\"2018-01-30\",\"site\":\"S01027\",\"routePublishCount\":\"17\",\"routeCount\":\"97\",\"customerCount\":\"931\"},{\"date\":\"2018-01-30\",\"site\":\"S02923\",\"routePublishCount\":\"16\",\"routeCount\":\"119\",\"customerCount\":\"1248\"},{\"date\":\"2018-01-30\",\"site\":\"S03175\",\"routePublishCount\":\"14\",\"routeCount\":\"79\",\"customerCount\":\"701\"},{\"date\":\"2018-01-30\",\"site\":\"S03422\",\"routePublishCount\":\"24\",\"routeCount\":\"146\",\"customerCount\":\"1486\"}]"
| spath
| rename {}.* as *
In your environment, you should try
index=<your_index>
| spath
| rename {}.* as *
| table date site
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
01-31-2018
12:30 PM
Splunk can do some automatic handling of Json. After your initial search command, try piping either
| spath
or
| extract pairdelim="{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppanchal
Path Finder
01-31-2018
12:46 PM
can you give me a complete search query?
I am doing,
index=* | table date, site
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
01-31-2018
02:17 PM
I didn't pay close attention to your example being a single event multivalue json, so not entirely sure this will work:
index=*
| extract pairdelim="{,}" kvdelim=":"
| table date, site
there are other commands for handling multivalue like mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppanchal
Path Finder
01-31-2018
04:20 PM
Not sure why but the above query is returning only single value from the jason. Please help.
date site
2018-01-30 S01027
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
