How to remove {} in Json extracted fields during s...

manikanta461 · ‎03-17-2022

Hello All,
I have JSON data and sometimes it is nested and sometimes it is not, whenever it is a nested array I have a {} in the field name, and when it's not there is no {}. I'm trying to make a field alias to a common field name. But, I want to write a single alias to convert the field name if {} is present or not to a new name?
Any leads on how can I do it? (Either remove {} before the fields are extracted at search time or aliasing in the props.conf to a new name.)

eg: items{}.description once, items.description the other other time --> rename to items.description during the search time without using rename command
OR
remove {} before fields are extracted on the search head.

P.S: I don't want to do index time field extraction.

#fieldaliasing #json

somesoni2 · ‎03-22-2022

You can create calculated fields to create a new field. You can also do the same eval inline in the search.

Inline search:

| eval "item_description"=coalesce('item.description','item{}.description')

Props.conf (on search head):
[YourSourcetype]
EVAL-item_description = coalesce('item.description','item{}.description')

tshah-splunk · ‎03-22-2022

Hey @manikanta461,

Try using spath in the search query and in the output parameter, you can set the fieldname that you want.

Related docs for spath command can be found here -

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Spath

https://blog.avotrix.com/spath-command-in-splunk/

---
If you find the answer helpful, an upvote/karma is appreciated

How to remove {} in Json extracted fields during search time without using rename in the search?

field extraction

JSON

props.conf

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!