Re: json field with backslash separated values

norbertt911 · ‎05-10-2023

Hi,

I have a json field where multiple values listed separated by backslash in raw (space in list view) like this:

"value": "audit_retention_configure\nos_airdrop_disable......\nsystem_settings_wifi_menu_enable\n"

In list view the extraction looks ok, but the whole list shown as a single value. I would like to split it.

I did this:

Mysearch

| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval values=split(value,"X")
| mvexpand values
| table values

If i set X="\" (unbalanced quotes), or "\\", or " " (space), there is no change in the result, if I set forexample "_", it will split the field by _ like a charm...

Please advise what should I do for

audit_retention_configure
nos_airdrop_disable
.
.
.
nsystem_settings_wifi_menu_enable

result.

norbertt911 · ‎05-11-2023

... and finally I found it.

I can't explain why, but if I replace the \n with any random character, the do the split it's works.

enzomialich · ‎05-10-2023

Try:

| makemv delim="\" value

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Makemv

norbertt911 · ‎05-11-2023

Thanks,

first of all I just realised that the separator is not just a backslash, but "\n" - new line.

anyway my results are same like with split. makemv do the job too with any delimiter except the \n (\\n,\\\\n or any variation).

How to split json field with backslash separated values?

field extraction

JSON

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...