Solved: Re: How to use spath command in props.conf or tran...

MAMAOUI · ‎06-27-2018

Hello ,

I used spath command to extract field from json data:

{"key":"value", "key":"value", "key":"value", "key":"value", "key":"value" ...}

and I got the results that I wanted (.. | spath input = json)

My question is how can I get the same results in props.conf or transforms.conf?

Thank you for answer

M&A

richgalloway · ‎06-27-2018

Use INDEXED_EXTRACTIONS = JSON in props.conf.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎06-27-2018

Use INDEXED_EXTRACTIONS = JSON in props.conf.

---
If this reply helps you, Karma would be appreciated.

MAMAOUI · ‎06-28-2018

I used KV_MODE=JSON and it works but my probleme is that i have 2 json
format in the same data :

{"key1":"value1", "key2":"value2", "key3": "{\"key30\":values30,\"key31\":values31........ \"}"}

I dont know if there are any way to use spath in props , some thig like
Eval-Key3=spath ....

Thankyou

MuS · ‎06-28-2018

Nope, that will not work. But you can use any kind of regex as transforms to get around this JSON in JSON problem. See this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html to learn how it can be done.

Additional hint: the regex mentioned in this answer will not work for your JSON in JSON thing ... try \\"([^\\]+)\\":([^,]+) for a start 😉

cheers, MuS

MAMAOUI · ‎06-29-2018

ok I will try .thank you

How to use spath command in props.conf or transforms.conf in Splunk?