Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Extract data from Jason
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract data from Jason
ppanchal
Path Finder
01-31-2018
12:19 PM
Hi,
I want to extract fields like date, site, etc from the below log (jason), how can I do this?
[{"date":"2018-01-30","site":"S01027","routePublishCount":"17","routeCount":"97","customerCount":"931"},{"date":"2018-01-30","site":"S02923","routePublishCount":"16","routeCount":"119","customerCount":"1248"},{"date":"2018-01-30","site":"S03175","routePublishCount":"14","routeCount":"79","customerCount":"701"},{"date":"2018-01-30","site":"S03422","routePublishCount":"24","routeCount":"146","customerCount":"1486"}]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-31-2018
10:45 PM
hey try this run anywhere search
| makeresults
| eval _raw="[{\"date\":\"2018-01-30\",\"site\":\"S01027\",\"routePublishCount\":\"17\",\"routeCount\":\"97\",\"customerCount\":\"931\"},{\"date\":\"2018-01-30\",\"site\":\"S02923\",\"routePublishCount\":\"16\",\"routeCount\":\"119\",\"customerCount\":\"1248\"},{\"date\":\"2018-01-30\",\"site\":\"S03175\",\"routePublishCount\":\"14\",\"routeCount\":\"79\",\"customerCount\":\"701\"},{\"date\":\"2018-01-30\",\"site\":\"S03422\",\"routePublishCount\":\"24\",\"routeCount\":\"146\",\"customerCount\":\"1486\"}]"
| spath
| rename {}.* as *
In your environment, you should try
index=<your_index>
| spath
| rename {}.* as *
| table date site
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
01-31-2018
12:30 PM
Splunk can do some automatic handling of Json. After your initial search command, try piping either
| spath
or
| extract pairdelim="{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppanchal
Path Finder
01-31-2018
12:46 PM
can you give me a complete search query?
I am doing,
index=* | table date, site
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
01-31-2018
02:17 PM
I didn't pay close attention to your example being a single event multivalue json, so not entirely sure this will work:
index=*
| extract pairdelim="{,}" kvdelim=":"
| table date, site
there are other commands for handling multivalue like mvexpand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppanchal
Path Finder
01-31-2018
04:20 PM
Not sure why but the above query is returning only single value from the jason. Please help.
date site
2018-01-30 S01027
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
