Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Retrive only the key object from the json outp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Retrive only the key object from the json output
JyotiP
Path Finder
09-18-2019
05:15 AM
I have the following output and I want to extract only the key value of the JSON and those are addNewOrder,navigateReport etc in a table.
Details: {
addNewOrder: {
dur: 7706ms
end: Wed Sep 18 2019 14:38:48 GMT+0530 (India Standard Time)
navigationAPIData: {
connectEnd: 1568797694032
connectStart: 1568797694032
domComplete: 1568797694775
domContentLoadedEventEnd: 1568797694542
domContentLoadedEventStart: 1568797694542
domInteractive: 1568797694542
domLoading: 1568797694255
domainLookupEnd: 1568797694032
domainLookupStart: 1568797694032
fetchStart: 1568797694032
}
start: Wed Sep 18 2019 14:38:40 GMT+0530 (India Standard Time)
}
login: {
dur: 7046ms
end: Wed Sep 18 2019 14:38:17 GMT+0530 (India Standard Time)
navigationAPIData: {
connectEnd: 1568797694032
connectStart: 1568797694032
domComplete: 1568797694775
domContentLoadedEventEnd: 1568797694542
domContentLoadedEventStart: 1568797694542
domInteractive: 1568797694542
domLoading: 1568797694255
domainLookupEnd: 1568797694032
domainLookupStart: 1568797694032
fetchStart: 1568797694032
}
}
navigateReport: {
dur: 2804ms
end: Wed Sep 18 2019 14:38:28 GMT+0530 (India Standard Time)
}
navigateOrder: {
dur: 1804ms
end: Wed Sep 18 2019 14:38:23 GMT+0530 (India Standard Time)
}
openNewOrder: {
dur: 1700ms
end: Wed Sep 18 2019 14:38:33 GMT+0530 (India Standard Time)
}
openUrl: {
dur: 3011ms
end: Wed Sep 18 2019 14:38:00 GMT+0530 (India Standard Time)
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkat54
SplunkTrust
09-19-2019
04:20 AM
Check out extended examples number 2 & 3 here:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath
You need to spath, rename, zip, and then mvexpand. It's tricky but well documented. Follow the steps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
klischatb
Path Finder
09-18-2019
05:47 AM
have u tried field extractions with regex like : dur:\s(?(\d{1,4}))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JyotiP
Path Finder
09-18-2019
05:55 AM
Tried, but not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
09-18-2019
05:20 AM
@JyotiP
Can you please share valid JSON event and your expected output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JyotiP
Path Finder
09-18-2019
05:57 AM
@kamlesh_vaghela I have updated the JSON
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
09-18-2019
11:02 PM
Thanks @JyotiP
It would be better if a single sample event from _raw. Like below
{"trx":[{"type":"y","src":"x","htlids":[{"htlid":"XX123456","errCode":"1257"}]},{"type":"y","src":"x","htlids":[{"htlid":"YY123456","errCode":"1257"}]}],"ClientId":245860224012578433,"SeqNb":3102,"Type":"RsMonitor","Epoch":1568798767432}
Another question:
Your all mentioend fields addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl have other fields. Do you need any specific fields like dur from these fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JyotiP
Path Finder
09-19-2019
03:47 AM
@kamlesh_vaghela nope I want to select only the above-mentioned value in a table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JyotiP
Path Finder
09-18-2019
05:27 AM
@kamlesh_vaghela the JSON output is too big, I only want to select the Kep value and put them in the table,
addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Cultivate Your Career Growth with Fresh Splunk Training
Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...
Introducing a Smarter Way to Discover Apps on Splunkbase
We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.
Because we’ve ...
