Solved: How to handle simple JSON array with spath

ruman · ‎10-25-2012

The field value is ["","apples","oranges"]

| spath input=foo creates a multi-value field named '{}'. which is a little weird.

| spath input=foo output=bar fails. splunk complains

Error in 'spath' command: You have not specified a path. Try using "path=mypath" as an argument to spath.

I can't find a value for path that works, given that i want to address the root.

A kludgey workaround is | spath input=foo | rename "{}" AS bar, but it would be nicer if this was possible with spath alone.

vliao · ‎02-11-2013

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

View solution in original post

sanjax90 · ‎05-12-2020

*How to use spath for below JSON to check if for AnalyticsExternalDataSizeMB Remaining/Max*100 is >=70%?*

{
"AnalyticsExternalDataSizeMB":{
"Max":478600,
"Remaining":40960
},
"ConcurrentAsyncGetReportInstances":{
"Max":200,
"Remaining":200
},
"ConcurrentEinsteinDataInsightsStoryCreation":{
"Max":5,
"Remaining":5
},
"ConcurrentEinsteinDiscoveryStoryCreation":{
"Max":2,
"Remaining":2
},
"ConcurrentSyncReportRuns":{
"Max":20,
"Remaining":20
},
"DailyAnalyticsDataflowJobExecutions":{
"Max":60,
"Remaining":60
},
"DailyAnalyticsUploadedFilesSizeMB":{
"Max":51200,
"Remaining":51200
},

sheshank_kodam · ‎08-04-2016

How do I extract the title information from the json and table it

[{
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event1",
    'end_time': '2016-08-05T20:49:00Z'
}, {
    'start_time': '2016-08-05T18:42:00Z',
    'title': u "event2",
    'end_time': '2016-08-05T20:49:00Z'
}]

Desired output (in table)
Title
event1
event2

Here is the search I have and it doesn't work

| spath input=err output=title path={}.title | table title

vliao · ‎02-11-2013

This might not answer your question, but I had a similar problem getting spath to work with an array of objects. For foo=[{"bar":1},{"bar":2},{"bar":3}], I did not even get a multivalued field named '{}' when using: | spath input=foo

I got spath to work by changing my log format and wrapping the JSON array in an object:

foo={"foo":[{"bar":1},{"bar":2},{"bar":3}]}

I was then able to use the following:

| spath input=foo output=bar path=foo{}.bar

Without altering the log, I was able to use:

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}.bar

ruman · ‎02-14-2013

Wow! That's perfect. For my case, just a naked array instead of an array of objects, I was able to say

foo=["","apples","oranges"]

| eval foo="{\"foo\":" + foo + "}" | spath input=foo output=bar path=foo{}

Thanks!

sivasn1 · ‎08-09-2015

Hey Guys,, when you use 'foo' everywhere, its a little difficult for me to follow which refers to which 'foo'.. Please use variants like 'foo2' or 'foo_key' etc for clarity for beginners

DalJeanis · ‎03-01-2018

@sivasn1 -

The event JSON comes in with this data...

  foo1=["","apples","oranges"]

This takes the value above, prepends the name foo3 to it to establish a valid path in JSON format, and puts it into a variable named foo2.

 | eval foo2="{\"foo3\":" + foo1 + "}"

This takes the foo2 valid JSON variable we just created value above, and uses the spath command to tell it to extract the information from down the foo3 path to a normal splunk multivalue field named foo4.

| spath input=foo2 output=foo4 path=foo3{}

Using the above, you should be able to understand what was happening with the original code.

Here's a run-anywhere sample...

 | makeresults 
 | eval foo1="[\"\",\"apples\",\"oranges\"]"
 | eval foo2="{\"foo3\":" + foo1 + "}" 
 | spath input=foo2 output=foo4 path=foo3{}
 | table foo1 foo2 foo3 foo4

Note that with the above table command, field foo3 will be null, because it isn't a field in splunk, it is a field name assigned solely in the JSON data.

ruman_splunk · ‎08-04-2016

https://en.wikipedia.org/wiki/Metasyntactic_variable#English

gryz · ‎10-25-2012

Are you sure that you are feeding it proper json formated data? I did some stuff with json that wasn't working quite right and it turned out we were not formating it correctly.

ruman · ‎10-25-2012

The fact that spath input=foo correctly creates a multiple value field, with correct data, suggests that the JSON is well-formed.

As noted, the JSON in question is ["","apples","oranges"] - let me know if there's something wrong with that. Maybe I should provide the original event:

[25-Oct-2012 13:37:38] INFO [test] foo="[\"\",\"apples\",\"oranges\"]"

There's a transform that handles the escaped quotes gracefully.

How to handle simple JSON array with spath

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?