Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to parse JSON data at search-time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to parse JSON data at search-time?
I am getting different types of data from source. It can be XML or JSON.
For XML, I am just indexing whole file and later at search-time, I am using xmlkv + xpath to parse and get the data that I want.
For JSON, I need to index whole file, but is there a way that I can parse at search time similar to the above.?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Spath is your friend if you want automatic field extraction during search time for both XML and JSON type of data:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
I cannot specify any format while indexing data. for xml, if i specify xmlkv and use spath, it works fine. but, i am not sure about the json.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean you can't specify the format? Is each file a valid json file? Or does it contain individual json events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As said earlier, i can get xml file or json file. While indexing the data, i just need to load whole file. Because, end users need to see whole file.
But, our processing framework needs splitted data.
I have json as below.
{
"Document": {
"-xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
"-xsi:noNamespaceSchemaLocation": "EPA_GEODATA_v1.0.xsd"
},
"FacilitySite": [{
"LatitudeMeasure": "31.59",
"LongitudeMeasure": "-85.278333",
"Program": {
"ProgramCommonName": "TRIS",
"ProgramAcronymName": "TRIS"
}
}, {
"LocalityName": "ABBEVILLE",
"LocationAddressStateCode": "AL",
"Program": {
"ProgramCommonName": "TRIS",
"ProgramAcronymName": "TRIS"
}
}]
}
can i get child json document as below.
"Program": {
"ProgramCommonName": "TRIS",
"ProgramAcronymName": "TRIS"
}
-----------------------------
"Program": {
"ProgramCommonName": "TRIS",
"ProgramAcronymName": "TRIS"
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Run the following query from Splunk and let me know if this is what you are looking for.
If so, then simply apply the same logic to your events.
| stats count
| eval jsonIn = "
{
\"Document\": {
\"-xmlns:xsi\": \"http://www.w3.org/2001/XMLSchema-instance\",
\"-xsi:noNamespaceSchemaLocation\": \"EPA_GEODATA_v1.0.xsd\"
},
\"FacilitySite\": [{
\"LatitudeMeasure\": \"31.59\",
\"LongitudeMeasure\": \"-85.278333\",
\"Program\": {
\"ProgramCommonName\": \"TRIS\",
\"ProgramAcronymName\": \"TRIS\"
}
}, {
\"LocalityName\": \"ABBEVILLE\",
\"LocationAddressStateCode\": \"AL\",
\"Program\": {
\"ProgramCommonName\": \"TRIS\",
\"ProgramAcronymName\": \"TRIS\"
}
}]
}
"
| spath input=jsonIn path=FacilitySite{}.Program output=Program
| fields Program
Output:
Program
{ "ProgramCommonName": "TRIS", "ProgramAcronymName": "TRIS" }
{ "ProgramCommonName": "TRIS", "ProgramAcronymName": "TRIS" }
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
