Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to split json field with backslash separated v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to split json field with backslash separated values?
Hi,
I have a json field where multiple values listed separated by backslash in raw (space in list view) like this:
"value": "audit_retention_configure\nos_airdrop_disable......\nsystem_settings_wifi_menu_enable\n"
In list view the extraction looks ok, but the whole list shown as a single value. I would like to split it.
I did this:
Mysearch
| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval values=split(value,"X")
| mvexpand values
| table values
If i set X="\" (unbalanced quotes), or "\\", or " " (space), there is no change in the result, if I set forexample "_", it will split the field by _ like a charm...
Please advise what should I do for
audit_retention_configure
nos_airdrop_disable
.
.
.
nsystem_settings_wifi_menu_enable
result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... and finally I found it.
I can't explain why, but if I replace the \n with any random character, the do the split it's works.
...| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval value=replace(value,"\\n",";")
| makemv delim=";" value
| mvexpand value
| table value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
| makemv delim="\" value
https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Makemv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
first of all I just realised that the separator is not just a backslash, but "\n" - new line.
anyway my results are same like with split. makemv do the job too with any delimiter except the \n (\\n,\\\\n or any variation).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
