Getting Data In

How to print multiple JSON root elements?

amirrachman
Engager

Hi,

I've data like this

{
"container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
"container_name":"nginx",
"name":"eventBase0"
}
{
"name":"eventBase1",
"hostname":"google.com",
"pid":7
}

This above format are contain 2 multiple json root elements which second value "eventBase1" not shown on interesting fields in splunk dashboard. My output format is i want to get the second value and print on a table such as below.

+++++++++++++++++++++++++++++++
+++ name | hostname | pid +++

Thanks

0 Karma
1 Solution

harshpatel
Contributor

Hi @amirrachman ,

You can either manually extract it at search time using rex command like:

| rex field=_raw "\"name\":\"(?<name>\w+)\""

OR
You can reformat your data so that it is in proper JSON format so Splunk can auto extract fields for you. I would recommend the latter.

View solution in original post

harshpatel
Contributor

Hi @amirrachman ,

You can either manually extract it at search time using rex command like:

| rex field=_raw "\"name\":\"(?<name>\w+)\""

OR
You can reformat your data so that it is in proper JSON format so Splunk can auto extract fields for you. I would recommend the latter.

amirrachman
Engager

Hi @harshpatel, the json that I've is like below.
so I have both "name" field on the json files (I just revise my question on above). within those both "name", i want to take "name" on second value "eventBase1"

{
    "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
    "container_name":"nginx",
    "name":"eventBase0"
    }
    {
    "name":"eventBase1",
    "hostname":"google.com",
    "pid":7
    }
0 Karma

harshpatel
Contributor

Try this:

| rex field=_raw "{\s*\"name\":\"(?<name>\w+)\""
0 Karma

amirrachman
Engager

Thank @harshpatel it's working perfect as I want

0 Karma

harshpatel
Contributor

Hi @amirrachman The problem here is you don't have your data as correct JSON format that's why Splunk couldn't extract those fields... If you want auto extraction you should have the following format in your case:

[{
     "container_id":"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23",
     "container_name":"nginx"
     },
     {
     "name":"eventBase1",
     "hostname":"google.com",
     "pid":7
     }]

i.e. JSON array

0 Karma

amirrachman
Engager

hi @harshpatel yes, in this case, the logs is not have correct json format, for reformating, yes I create an concat array, then how i got the second value which I want ?

{
 "name":"eventBase1",
 "hostname":"google.com",
 "pid":7
 }
0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
    }
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| rex mode=sed "s/([\r\n\s]+\})([\r\n\s]+\{[\r\n\s]+)/\1::::{\n/g"
| rename _raw AS raw
| makemv delim="::::" raw
| mvexpand raw 
| rename raw AS _raw
| spath
0 Karma

amirrachman
Engager

For this command above, i need to concat all string with "\", the line of json format are very long, above is only example code, is there any other way to get only for second json root elements ?

| eval _raw="{
\"container_id\":\"0fce97fd907a806802eab9b27965dd35dd82bbe142d128294b34b8a8a2e42f23\",
\"container_name\":\"nginx\"
}
{
\"name\":\"eventBase1\",
\"hostname\":\"google.com\",
\"pid\":7
}"

0 Karma

woodcock
Esteemed Legend

You are TOTALLY missing the point. Read the line that is singled out. It says Everything above generates sample events; everything below is your solution. You only need the stuff below that line, the portion that begins with | rex ....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...