Getting Data In

How to extract unique Json String field value?

srinim1234
Engager

Hi,

I have the following JSON String logs. I would like to extract JSON unique field values. It should go over all the message fields and extract specific field values from a JSON array("name") and unique them. Could someone help with Splunk query?

 

Raw log

{
"@timestamp": "2022-03-28T07:38:45.123+00:00",
"message": "request - {\"metrics\":[{\"name\":\"m1\",\"downsample\":\"sum\"},{\"name\":\"m2\",\"downsample\":\"sum\"},{\"name\":\"m1\",\"downsample\":\"sum\"}]}"
}

JSON

 {
"metrics": [{
"name": "m1",
"aggregator": "sum",
}, {
"name": "m2",
"downsample": "sum"
}, {
"name": "m1",
"downsample": "sum"
}]
}

 

Expected Output:

 

m1
m2 
...

 

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@srinim1234 

Can you please try below search?

YOUR_SEARCH
| rex field=message \"name\":\"(?<name>\w+)\" max_match=0
| mvexpand name
| table name

 

I suggest above search for your requirement. 

Below search for learning purpose as another way of achieving same output.

YOUR_SEARCH
| rex field=message "request - (?<data>.*)" | rename data as _raw | kv
|mvexpand metrics{}.name
| table metrics{}.name

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@srinim1234 

Can you please try below search?

YOUR_SEARCH
| rex field=message \"name\":\"(?<name>\w+)\" max_match=0
| mvexpand name
| table name

 

I suggest above search for your requirement. 

Below search for learning purpose as another way of achieving same output.

YOUR_SEARCH
| rex field=message "request - (?<data>.*)" | rename data as _raw | kv
|mvexpand metrics{}.name
| table metrics{}.name

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

srinim1234
Engager

Thank you! This helped!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "\\\\\"name\\\\\":\\\\\"(?<name>[^\\\\]+)"
| eval name=mvdedup(name)
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...