Re: json field with backslash separated values

norbertt911 · ‎05-10-2023

Hi,

I have a json field where multiple values listed separated by backslash in raw (space in list view) like this:

"value": "audit_retention_configure\nos_airdrop_disable......\nsystem_settings_wifi_menu_enable\n"

In list view the extraction looks ok, but the whole list shown as a single value. I would like to split it.

I did this:

Mysearch

| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval values=split(value,"X")
| mvexpand values
| table values

If i set X="\" (unbalanced quotes), or "\\", or " " (space), there is no change in the result, if I set forexample "_", it will split the field by _ like a charm...

Please advise what should I do for

audit_retention_configure
nos_airdrop_disable
.
.
.
nsystem_settings_wifi_menu_enable

result.

norbertt911 · ‎05-11-2023

... and finally I found it.

I can't explain why, but if I replace the \n with any random character, the do the split it's works.

enzomialich · ‎05-10-2023

Try:

| makemv delim="\" value

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Makemv

norbertt911 · ‎05-11-2023

Thanks,

first of all I just realised that the separator is not just a backslash, but "\n" - new line.

anyway my results are same like with split. makemv do the job too with any delimiter except the \n (\\n,\\\\n or any variation).

How to split json field with backslash separated values?

field extraction

JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation