Solved: Re: How to handle simple JSON array with spath

ruman · ‎10-25-2012

The field value is ["","apples","oranges"]

| spath input=foo creates a multi-value field named '{}'. which is a little weird.

| spath input=foo output=bar fails. splunk complains

Error in 'spath' command: You have not specified a path. Try using "path=mypath" as an argument to spath.

I can't find a value for path that works, given that i want to address the root.

A kludgey workaround is | spath input=foo | rename "{}" AS bar, but it would be nicer if this was possible with spath alone.

vliao · ‎02-11-2013

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

View solution in original post

sanjax90 · ‎05-12-2020

*How to use spath for below JSON to check if for AnalyticsExternalDataSizeMB Remaining/Max*100 is >=70%?*

{
"AnalyticsExternalDataSizeMB":{
"Max":478600,
"Remaining":40960
},
"ConcurrentAsyncGetReportInstances":{
"Max":200,
"Remaining":200
},
"ConcurrentEinsteinDataInsightsStoryCreation":{
"Max":5,
"Remaining":5
},
"ConcurrentEinsteinDiscoveryStoryCreation":{
"Max":2,
"Remaining":2
},
"ConcurrentSyncReportRuns":{
"Max":20,
"Remaining":20
},
"DailyAnalyticsDataflowJobExecutions":{
"Max":60,
"Remaining":60
},
"DailyAnalyticsUploadedFilesSizeMB":{
"Max":51200,
"Remaining":51200
},

sheshank_kodam · ‎08-04-2016

How do I extract the title information from the json and table it

[{
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event1",
    'end_time': '2016-08-05T20:49:00Z'
}, {
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event2",
    'end_time': '2016-08-05T20:49:00Z'
}]

Desired output (in table)
Title
event1
event2

Here is the search I have and it doesn't work

| spath input=err output=title path={}.title | table title

vliao · ‎02-11-2013

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

ruman · ‎02-14-2013

Wow! That's perfect. For my case, just a naked array instead of an array of objects, I was able to say

foo=["","apples","oranges"]

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}

Thanks!

sivasn1 · ‎08-09-2015

Hey Guys,, when you use 'foo' everywhere, its a little difficult for me to follow which refers to which 'foo'.. Please use variants like 'foo2' or 'foo_key' etc for clarity for beginners

DalJeanis · ‎03-01-2018

@sivasn1 -

The event JSON comes in with this data...

  foo1=["","apples","oranges"]

This takes the value above, prepends the name foo3 to it to establish a valid path in JSON format, and puts it into a variable named foo2.

 | eval foo2="{\"foo3\":" + foo1 + "}"

This takes the foo2 valid JSON variable we just created value above, and uses the spath command to tell it to extract the information from down the foo3 path to a normal splunk multivalue field named foo4.

| spath input=foo2 output=foo4 path=foo3{}

Using the above, you should be able to understand what was happening with the original code.

Here's a run-anywhere sample...

 | makeresults 
 | eval foo1="[\"\",\"apples\",\"oranges\"]"
 | eval foo2="{\"foo3\":" + foo1 + "}" 
 | spath input=foo2 output=foo4 path=foo3{}
 | table foo1 foo2 foo3 foo4

Note that with the above table command, field foo3 will be null, because it isn't a field in splunk, it is a field name assigned solely in the JSON data.

ruman_splunk · ‎08-04-2016

https://en.wikipedia.org/wiki/Metasyntactic_variable#English

gryz · ‎10-25-2012

Are you sure that you are feeding it proper json formated data? I did some stuff with json that wasn't working quite right and it turned out we were not formating it correctly.

ruman · ‎10-25-2012

The fact that spath input=foo correctly creates a multiple value field, with correct data, suggests that the JSON is well-formed.

As noted, the JSON in question is ["","apples","oranges"] - let me know if there's something wrong with that. Maybe I should provide the original event:

[25-Oct-2012 13:37:38] INFO [test] foo="[\"\",\"apples\",\"oranges\"]"

There's a transform that handles the escaped quotes gracefully.

How to handle simple JSON array with spath

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!