source = connection.txt

ziyod2005 · ‎08-15-2014

Could someone guide me through to parse JSON within JSON array? I have tried many different variations with spath command but without luck

source = connection.txt

begin: {
"conn":
{
"type":"scp",
"ip":"1.1.1.1",
"userName":"tiger",
"password":"wood",
"platform":"ibm",
"retryCnt":10
},
"mainCommandsList":
[{
"commandSetId":"1234",
"commandSetName":"setName",
"commandListType":"listType",
"commandList":
[
{
"commandLineId":1,
"commandLevel":0,
"command":"sh redundancy inter-device",
"lineFeedCnt":1,
"ignoreErrors":true
}
]
}
],
"serialNumber":"aaaaaaaa1",
"scpHostName":"10.10.10.10",
"scpUserName":"testUser",
"scpPassword":"testPass",
"scpRoot":"downloads"
}

somesoni2 · ‎08-18-2014

It seems that your events don't have true json format (due to 'begin: ' in the start. In case you can't get rid of that, you can try this workaround:

your base search | rex "begin:\s*(?<temp_raw>.*)"| spath input=temp_raw... rest your your search

psidler · ‎08-16-2014

Hi,

I also had some problems getting the JSON Data into splunk. I have tried the following:

Setting Sourcetype to _json

Added the following to the props.conf:

[_json]
KV_MODE = _json
LINE_BREAKER = "(^){"
SHOULD_LINEMERGE = false
MAX_EVENTS = 3000000
TRUNCATE = 3000000

I used MAX_EVENTS and TRUNCATE because my JSON Events has more ore less 10000 lines.

For xour JSON sample i would use:

[_json]
KV_MODE = _json
LINE_BREAKER = "(^)begin: {"
SHOULD_LINEMERGE = false

Then it should build the events for you:

conn.type = scp
conn.ip = 1.1.1.1
conn.userName = tiger
conn.password =wood
...
...
conn.mainCommandsList.commandSetId = 1234
conn.mainCommandsList.commandSetName = setName
...
...

I hope this is what you are looking for.

Regards,
Patrik

How to parse JSON with JSON array to identify fields?

source = connection.txt

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms