Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to parse JSON with JSON array to identify fiel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to parse JSON with JSON array to identify fields?
Could someone guide me through to parse JSON within JSON array? I have tried many different variations with spath command but without luck
source = connection.txt
begin: {
"conn":
{
"type":"scp",
"ip":"1.1.1.1",
"userName":"tiger",
"password":"wood",
"platform":"ibm",
"retryCnt":10
},
"mainCommandsList":
[{
"commandSetId":"1234",
"commandSetName":"setName",
"commandListType":"listType",
"commandList":
[
{
"commandLineId":1,
"commandLevel":0,
"command":"sh redundancy inter-device",
"lineFeedCnt":1,
"ignoreErrors":true
}
]
}
],
"serialNumber":"aaaaaaaa1",
"scpHostName":"10.10.10.10",
"scpUserName":"testUser",
"scpPassword":"testPass",
"scpRoot":"downloads"
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that your events don't have true json format (due to 'begin: ' in the start. In case you can't get rid of that, you can try this workaround:
your base search | rex "begin:\s*(?<temp_raw>.*)"| spath input=temp_raw... rest your your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I also had some problems getting the JSON Data into splunk. I have tried the following:
Setting Sourcetype to _json
Added the following to the props.conf:
[_json]
KV_MODE = _json
LINE_BREAKER = "(^){"
SHOULD_LINEMERGE = false
MAX_EVENTS = 3000000
TRUNCATE = 3000000
I used MAX_EVENTS and TRUNCATE because my JSON Events has more ore less 10000 lines.
For xour JSON sample i would use:
[_json]
KV_MODE = _json
LINE_BREAKER = "(^)begin: {"
SHOULD_LINEMERGE = false
Then it should build the events for you:
conn.type = scp
conn.ip = 1.1.1.1
conn.userName = tiger
conn.password =wood
...
...
conn.mainCommandsList.commandSetId = 1234
conn.mainCommandsList.commandSetName = setName
...
...
I hope this is what you are looking for.
Regards,
Patrik
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
