Convert JSON to table

splunk_skr · ‎05-28-2017

I tried looking up for a solution and went through almost all suggestions. None worked for me. I have the following json log that i want to convert to table. This is the raw representation for the json.

{"timestamp": "2017-05-28T19:34:15.698Z",
    "F_A": "valuefor_F_A",
    "F_B": "valuefor_F_B",
    "F_C": "{\"x\":\"valuefor_x\",\"y\":\"valuefor_y\",\"z\":\"valuefor_z\"}",
    "F_D": "valuefor_F_D"
}

Field F_C contains most of the info which i want to see in a table. I also need the timestamp in the table. So basically here is what i am looking for

x                   y                             z                  timestamp
=====================================================================
valuefor_x         valuefor_y       valuefor_z         2017-05-28T19:34:15.698Z

Any suggestions?

jkat54 · ‎05-28-2017

The timestamp should be auto recognized:

Here's my "down and dirty, cell phone typed answer":

 ... | rex 'x\\":\\"(?<x>.+)\\",\\"y\\":\\"(?<y>.+)\\",\\"z\\":\\"(?<z>.+)\\"}"' | table x y z _time

splunk_skr · ‎05-28-2017

Thanks,,there are syntactical errors..trying to fix now.

splunk_skr · ‎05-28-2017

Unable to make it work. any other suggestions?

jkat54 · ‎05-29-2017

Change the double slashes to triple slashes, if that don't work make them quad slashes. Sorry I couldn't test first, but I'm far away from my computer.

Convert JSON to table

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Convert JSON to table

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console