Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query JSON dict name of empty dict

mertox
Explorer
‎10-30-2018 10:42 AM

I'm sure that I'm not the first one running into this issue but I currently cant find a proper solution. Image following JSON data:

[
    "Config": {
      "Hostname": "XXHost",
      "ExposedPorts": {
        "1/tcp": {},
        "2/tcp": {},
        "3/tcp": {},
        "4/tcp": {},
        "5/tcp": {}
      },
    }
]

Splunk allows it to query the hostname using myQuery | table Config.Hostname but my usecase requires to query all exposed ports. When I take a look into the extracted fields at the left side, it seems like splunk skips all dicts without content (even if the childs are empty). Therefore the whole ExposedPorts dict is not available. Further more: until now I have no idea how to query dict names instead of the value.

Sidenote: I used INDEXED_EXTRACTIONS = JSON because the LINE_BREAKER option wasn't able to split the json events correctly (they are logged one per line separated by \n). Due to the indexed-time extraction there is no _raw field I can throw a fancy regex at. The data I am talking about is the output of docker inspect XXXX just in case one is going to reproduce it.

Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-02-2018 02:05 AM

Hi @mertox,
In your python script if you change your line of code to below:

data = {"data" : data}
f.write( json.dumps(data, sort_keys=True)+'\n' )

Try the above code. Hope this helps!!!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-01-2018 06:41 AM

Hi @mertox,
It would be easiest solution if you can change anything on source where event is being generated. Make the event event perfect JSON and Splunk will handle rest very easily.
If that is not possible then you would required to write regex to extract all fields.

Reply

mertox
Explorer
‎11-01-2018 08:05 AM

The data is written by a python script which dumps the restults using

f.write( json.dumps(data, sort_keys=True)+'\n' )

To my understanding this is the best way to do it...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...