Re: Retrive only the key object from the json outp...

JyotiP · ‎09-18-2019

I have the following output and I want to extract only the key value of the JSON and those are addNewOrder,navigateReport etc in a table.

Details: {
    addNewOrder: {
       dur: 7706ms
       end: Wed Sep 18 2019 14:38:48 GMT+0530 (India Standard Time)
       navigationAPIData: {
         connectEnd: 1568797694032
         connectStart: 1568797694032
         domComplete: 1568797694775
         domContentLoadedEventEnd: 1568797694542
         domContentLoadedEventStart: 1568797694542
         domInteractive: 1568797694542
         domLoading: 1568797694255
         domainLookupEnd: 1568797694032
         domainLookupStart: 1568797694032
         fetchStart: 1568797694032
       }
        start: Wed Sep 18 2019 14:38:40 GMT+0530 (India Standard Time)
     }
    login: {
       dur: 7046ms
       end: Wed Sep 18 2019 14:38:17 GMT+0530 (India Standard Time)
       navigationAPIData: { 
       connectEnd: 1568797694032
         connectStart: 1568797694032
         domComplete: 1568797694775
         domContentLoadedEventEnd: 1568797694542
         domContentLoadedEventStart: 1568797694542
         domInteractive: 1568797694542
         domLoading: 1568797694255
         domainLookupEnd: 1568797694032
         domainLookupStart: 1568797694032
         fetchStart: 1568797694032
       }
       }
    navigateReport: { 
       dur: 2804ms
       end: Wed Sep 18 2019 14:38:28 GMT+0530 (India Standard Time)
     }   
    navigateOrder: {
       dur: 1804ms
       end: Wed Sep 18 2019 14:38:23 GMT+0530 (India Standard Time)
       }
    openNewOrder: { 
       dur: 1700ms
       end: Wed Sep 18 2019 14:38:33 GMT+0530 (India Standard Time)
       }
    openUrl: {
       dur: 3011ms
       end: Wed Sep 18 2019 14:38:00 GMT+0530 (India Standard Time)
       }
    }

jkat54 · ‎09-19-2019

Check out extended examples number 2 & 3 here:

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

You need to spath, rename, zip, and then mvexpand. It's tricky but well documented. Follow the steps.

klischatb · ‎09-18-2019

have u tried field extractions with regex like : dur:\s(?(\d{1,4}))

JyotiP · ‎09-18-2019

Tried, but not working

kamlesh_vaghela · ‎09-18-2019

@JyotiP
Can you please share valid JSON event and your expected output?

JyotiP · ‎09-18-2019

@kamlesh_vaghela I have updated the JSON

kamlesh_vaghela · ‎09-18-2019

Thanks @JyotiP

It would be better if a single sample event from _raw. Like below

 {"trx":[{"type":"y","src":"x","htlids":[{"htlid":"XX123456","errCode":"1257"}]},{"type":"y","src":"x","htlids":[{"htlid":"YY123456","errCode":"1257"}]}],"ClientId":245860224012578433,"SeqNb":3102,"Type":"RsMonitor","Epoch":1568798767432}

Another question:
Your all mentioend fields addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl have other fields. Do you need any specific fields like dur from these fields?

JyotiP · ‎09-19-2019

@kamlesh_vaghela nope I want to select only the above-mentioned value in a table.

JyotiP · ‎09-18-2019

@kamlesh_vaghela the JSON output is too big, I only want to select the Kep value and put them in the table,
addNewOrder,login,navigateReport,navigateOrder,openNewOrder,openUrl

Retrive only the key object from the json output

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)