Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract key value pairs from JSON with a variable key through HTTP Event Collector?

cloudshowbob
New Member
‎05-18-2020 08:57 AM

I need help with the following JSON format which is coming from HTTP Event Collector. I want to extract Status, Severity, Id and PatchState from the following JSON format:

{
    "relatedEvents": [],
    "relationships": [
        {
            "resourceId": "REDACTED
            "resourceType": "AWS::SSM::ManagedInstanceInventory",
            "name": "Is associated with "
        }
    ],
    "configuration": {
        "AWS:ComplianceItem": {
            "SchemaVersion": "1.0",
            "Content": {
                "Patch": {
                    "SomeValue": {
                        "Status": "NON_COMPLIANT",
                        "InstalledTime": "",
                        "ExecutionType": "Command",
                        "PatchSeverity": "",
                        "Title": "AAAAAAAA",
                        "Severity": "UNSPECIFIED",
                        "ComplianceType": "Patch",
                        "Classification": "",
                        "DocumentVersion": "",
                        "Id": "BBBBB",
                        "PatchState": "Missing",
                        "PatchBaselineId": "pb-xxxxxxxxxxxxxxxx",
                        "DocumentName": "",
                        "PatchGroup": ""
                    },
                    "SomeOtherValue": {
                        "Status": "NON_COMPLIANT",
                        "InstalledTime": "",
                        "ExecutionType": "Command",
                        "PatchSeverity": "",
                        "Title": "CCCCCCCC",
                        "Severity": "UNSPECIFIED",
                        "ComplianceType": "Patch",
                        "Classification": "",
                        "DocumentVersion": "",
                        "Id": "AAAAAAA",
                        "PatchState": "Missing",
                        "PatchBaselineId": "pb-xxxxxxx",
                        "DocumentName": "",
                        "PatchGroup": ""
                    },

Please note that the embedded nesting's 4th element is a variable (usually a package name) so it is hard to parse using spath and I do not have a fixed number of the 4th nested JSON objects I receive.

Please help and thanks in advance.

Labels (2)
Labels
0 Karma
Reply

ruman_splunk
Splunk Employee
Splunk Employee
‎05-28-2020 02:00 PM

Do an EXTRACT in props.conf that completely ignores the fact that it's JSON 🙂 e.g.

[foo]
EXTRACT-PatchState = "PatchState: \"(?<PatchState>[^\"]+)\","
0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 07:46 PM

maybe, your log is one line
use Show as raw text and provide them.

and in your json-like log , "Patch": is array [ , isn't it?

0 Karma
Reply

cloudshowbob
New Member
‎05-20-2020 10:26 AM

I am giving a subset, the raw json is like 10k+ lines. There are no arrays just embedded json objects

0 Karma
Reply

to4kawa
Ultra Champion
‎05-20-2020 02:04 PM

there is the array relationships in your sample.

good luck.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...