Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

convert raw data in the event into json format

sekhar463
Path Finder
‎07-06-2023 06:04 AM

Hai All,

we have some data coming from splunk DB connect and one field has RAW data as below 

how to convert the  json payload data into readable format as i have attached pic how it should convert and below is the json data 

The field we want to perform json operations on is report_json

tried with below search but not working and is anything we need to update in the DB query end to get the output

index="test1" 
| search NOT errors="*warning Puppet*" NOT errors="*Permission*" report_json=*
| eval json_string=json(report_json), test=report_json
| table json_string, test, len(test)


Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-06-2023 08:36 AM

Assuming your actually data has correct json (not the truncated version you supplied), if the report_json field has not already been extracted, then you can use this to extract it and use spath to parse the json string.

| rex "report_json=\"(?<report_json>.*)"
| spath input=report_json
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2023 07:31 AM

Please explain what you mean by "not working".  What results do you expect and what results do you get?

The sample event does not contain valid JSON in the result_json field.  Specifically, it's missing a closing brace and bracket.  Splunk's JSON functions don't handle invalid JSON.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sekhar463
Path Finder
‎07-07-2023 04:00 AM

we are getting this data using DB connect from postgre db using below query and has 2 fields  report_json AND I have modified the query to to convert json object.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...