Getting Data In

How to parse JSON with JSON array to identify fields?

ziyod2005
Explorer

Could someone guide me through to parse JSON within JSON array? I have tried many different variations with spath command but without luck

source = connection.txt

begin: {
"conn":
{
"type":"scp",
"ip":"1.1.1.1",
"userName":"tiger",
"password":"wood",
"platform":"ibm",
"retryCnt":10
},
"mainCommandsList":
[{
"commandSetId":"1234",
"commandSetName":"setName",
"commandListType":"listType",
"commandList":
[
{
"commandLineId":1,
"commandLevel":0,
"command":"sh redundancy inter-device",
"lineFeedCnt":1,
"ignoreErrors":true
}
]
}
],
"serialNumber":"aaaaaaaa1",
"scpHostName":"10.10.10.10",
"scpUserName":"testUser",
"scpPassword":"testPass",
"scpRoot":"downloads"
}

Tags (3)
0 Karma

somesoni2
Revered Legend

It seems that your events don't have true json format (due to 'begin: ' in the start. In case you can't get rid of that, you can try this workaround:

your base search | rex "begin:\s*(?<temp_raw>.*)"| spath input=temp_raw... rest your your search

psidler
Explorer

Hi,

I also had some problems getting the JSON Data into splunk. I have tried the following:

Setting Sourcetype to _json

Added the following to the props.conf:

[_json]
KV_MODE = _json
LINE_BREAKER = "(^){"
SHOULD_LINEMERGE = false
MAX_EVENTS = 3000000
TRUNCATE = 3000000

I used MAX_EVENTS and TRUNCATE because my JSON Events has more ore less 10000 lines.

For xour JSON sample i would use:

[_json]
KV_MODE = _json
LINE_BREAKER = "(^)begin: {"
SHOULD_LINEMERGE = false

Then it should build the events for you:

conn.type = scp
conn.ip = 1.1.1.1
conn.userName = tiger
conn.password =wood
...
...
conn.mainCommandsList.commandSetId = 1234
conn.mainCommandsList.commandSetName = setName
...
...

I hope this is what you are looking for.

Regards,
Patrik

Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...