How to split json field with backslash separated v...

norbertt911 · ‎05-10-2023

Hi,

I have a json field where multiple values listed separated by backslash in raw (space in list view) like this:

"value": "audit_retention_configure\nos_airdrop_disable......\nsystem_settings_wifi_menu_enable\n"

In list view the extraction looks ok, but the whole list shown as a single value. I would like to split it.

I did this:

Mysearch

| rename "extensionAttribute.value" AS value
| search value="*" AND NOT value="No Base*"
| eval values=split(value,"X")
| mvexpand values
| table values

If i set X="\" (unbalanced quotes), or "\\", or " " (space), there is no change in the result, if I set forexample "_", it will split the field by _ like a charm...

Please advise what should I do for

audit_retention_configure
nos_airdrop_disable
.
.
.
nsystem_settings_wifi_menu_enable

result.

norbertt911 · ‎05-11-2023

... and finally I found it.

I can't explain why, but if I replace the \n with any random character, the do the split it's works.

enzomialich · ‎05-10-2023

Try:

| makemv delim="\" value

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Makemv

norbertt911 · ‎05-11-2023

Thanks,

first of all I just realised that the separator is not just a backslash, but "\n" - new line.

anyway my results are same like with split. makemv do the job too with any delimiter except the \n (\\n,\\\\n or any variation).

How to split json field with backslash separated values?

field extraction

JSON

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation