Solved: How to print multiple JSON root elements?

amirrachman · ‎04-12-2019

Hi,

I've data like this

{
"container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
"container_name":"nginx",
"name":"eventBase0"
}
{
"name":"eventBase1",
"hostname":"google.com",
"pid":7
}

This above format are contain 2 multiple json root elements which second value "eventBase1" not shown on interesting fields in splunk dashboard. My output format is i want to get the second value and print on a table such as below.

+++++++++++++++++++++++++++++++
+++ name | hostname | pid +++

Thanks

harshpatel · ‎04-15-2019

Hi @amirrachman ,

You can either manually extract it at search time using rex command like:

| rex field=_raw "\"name\":\"(?<name>\w+)\""

OR
You can reformat your data so that it is in proper JSON format so Splunk can auto extract fields for you. I would recommend the latter.

View solution in original post

harshpatel · ‎04-15-2019

Hi @amirrachman ,

You can either manually extract it at search time using rex command like:

| rex field=_raw "\"name\":\"(?<name>\w+)\""

OR
You can reformat your data so that it is in proper JSON format so Splunk can auto extract fields for you. I would recommend the latter.

amirrachman · ‎04-15-2019

Hi @harshpatel, the json that I've is like below.
so I have both "name" field on the json files (I just revise my question on above). within those both "name", i want to take "name" on second value "eventBase1"

{
    "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
    "container_name":"nginx",
    "name":"eventBase0"
    }
    {
    "name":"eventBase1",
    "hostname":"google.com",
    "pid":7
    }

harshpatel · ‎04-15-2019

Try this:

| rex field=_raw "{\s*\"name\":\"(?<name>\w+)\""

amirrachman · ‎04-15-2019

Thank @harshpatel it's working perfect as I want

harshpatel · ‎04-14-2019

Hi @amirrachman The problem here is you don't have your data as correct JSON format that's why Splunk couldn't extract those fields... If you want auto extraction you should have the following format in your case:

[{
     "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
     "container_name":"nginx"
     },
     {
     "name":"eventBase1",
     "hostname":"google.com",
     "pid":7
     }]

i.e. JSON array

amirrachman · ‎04-15-2019

hi @harshpatel yes, in this case, the logs is not have correct json format, for reformating, yes I create an concat array, then how i got the second value which I want ?

{
 "name":"eventBase1",
 "hostname":"google.com",
 "pid":7
 }

woodcock · ‎04-13-2019

Like this:

| makeresults 
| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
    }
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| rex mode=sed "s/([\r\n\s]+\})([\r\n\s]+\{[\r\n\s]+)/\1::::{\n/g"
| rename _raw AS raw
| makemv delim="::::" raw
| mvexpand raw 
| rename raw AS _raw
| spath

amirrachman · ‎04-14-2019

For this command above, i need to concat all string with "\", the line of json format are very long, above is only example code, is there any other way to get only for second json root elements ?

| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
}
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

woodcock · ‎04-15-2019

You are TOTALLY missing the point. Read the line that is singled out. It says Everything above generates sample events; everything below is your solution. You only need the stuff below that line, the portion that begins with | rex ....

How to print multiple JSON root elements?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies