Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove {} in Json extracted fields during search time without using rename in the search?

manikanta461
Explorer
‎03-17-2022 09:29 AM

Hello All,
I have JSON data and sometimes it is nested and sometimes it is not, whenever it is a nested array I have a {} in the field name, and when it's not there is no {}. I'm trying to make a field alias to a common field name. But, I want to write a single alias to convert the field name if {} is present or not to a new name?
Any leads on how can I do it? (Either remove {} before the fields are extracted at search time or aliasing in the props.conf to a new name.)

eg: items{}.description once, items.description the other other time --> rename to items.description during the search time without using rename command
                       OR
remove {} before fields are extracted on the search head.

P.S: I don't want to do index time field extraction.

#fieldaliasing #json 

 

Labels (3)
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-22-2022 10:22 AM

You can create calculated fields   to create a new field. You can also do the same eval inline in the search.

Inline search:

| eval "item_description"=coalesce('item.description','item{}.description')

Props.conf (on search head):
[YourSourcetype]
EVAL-item_description = coalesce('item.description','item{}.description')
0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎03-22-2022 01:31 AM

Hey @manikanta461,

Try using spath in the search query and in the output parameter, you can set the fieldname that you want.

Related docs for spath command can be found here - 

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Spath 

https://blog.avotrix.com/spath-command-in-splunk/

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...