I have the following JSON, but I'm not really familiar with Splunk's rex
function.
I tried this command without success: | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field
[
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
},
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
},
{
"Eqpt Class Description": null,
"Eqpt Criticality": "D",
"Eqpt Criticality Desc": "Non Essential",
"Eqpt Description": null,
"Eqpt Type Description": "Instrumentation",
"Maint Plant Caption": null,
"Maint Plant Filter Code": null,
"Maint Plant ID": null
}
]
For me to be able to build a dashboard with it, I need that to be displayed similar as in:
Could someone please help me to parse this on "}, {"?
Hi @gcescatto,
There are 2 ways to achieve this. The first is to ingest JSON data with correct extractions before data indexing and another way is to achieve this via search query.
Here you can assign below configuration on a universal forwarder and then restart Splunk on universal forwarder.
props.conf
[yoursourcetype]
INDEXED_EXTRACTIONS = JSON
Below is search query to parse correct data
<yourBaseSearch> | spath input=_raw | rename {}.* AS *
Above query will extract many fields like Eqpt Class Description
, Eqpt Criticality
etc.
Here is a run anywhere search to test on any Splunk instance.
| makeresults
| eval _raw="[
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
},
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
},
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
}
]"
| spath input=_raw
| rename {}.* AS *
Hi @gcescatto,
There are 2 ways to achieve this. The first is to ingest JSON data with correct extractions before data indexing and another way is to achieve this via search query.
Here you can assign below configuration on a universal forwarder and then restart Splunk on universal forwarder.
props.conf
[yoursourcetype]
INDEXED_EXTRACTIONS = JSON
Below is search query to parse correct data
<yourBaseSearch> | spath input=_raw | rename {}.* AS *
Above query will extract many fields like Eqpt Class Description
, Eqpt Criticality
etc.
Here is a run anywhere search to test on any Splunk instance.
| makeresults
| eval _raw="[
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
},
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
},
{
\"Eqpt Class Description\": null,
\"Eqpt Criticality\": \"D\",
\"Eqpt Criticality Desc\": \"Non Essential\",
\"Eqpt Description\": null,
\"Eqpt Type Description\": \"Instrumentation\",
\"Maint Plant Caption\": null,
\"Maint Plant Filter Code\": null,
\"Maint Plant ID\": null
}
]"
| spath input=_raw
| rename {}.* AS *