Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Expand json string into searchable fields

murad
Observer
‎12-15-2023 04:40 PM

Hi
Kinda a new to splunk . Sending data to splunk via HEC. Its a DTO which contains various fields, one of them being requestBody which is a string and it contains the JSON Payload my end point is receiving. When viewing the log event within splunk, the requestBody stays as string. I was hoping that it could be expanded so that the json fields could be searchable. 

As you can see, when i click on "body", the whole line is selected. I am hoping for , for example, "RYVBNQ" to be individually selectable so that i can do searches against that. 

murad_0-1702687096243.png

 

Labels (3)
Labels
0 Karma
Reply

dtburrows3
Builder
‎12-15-2023 05:35 PM

Looks like the HEC event is sending the "Request.body" field as a string literal and splunks KV_MODE=json (or INDEXED_EXTRACTION=json) is extracting it that way. 

It should be possible to extract it from there still but if you want it extracted at search time you may need to either adjust the source sending the data to send "Request.body" as a valid json array or set up a calculated field in props.conf to get the desired fields extracted (regex is also an option using props/transforms)

Here is some SPL of simulated data to give an example of what I think is going on and how Splunk is extracting the fields.

| makeresults
    | eval
        _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\" } ]\", \"hostname\": \"IT-SALI\" }",
        example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes"
    | spath input=_raw
    | append
        [
            | makeresults
                | eval
                    _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": [ { \"recordLocator\": \"RYVBNQ\" } ], \"hostname\": \"IT-SALI\" }",
                    example="Example 2: JSON Payload sent with 'Request.body{}' as a json array (no quotes)"
                ``` The spath below would better represent how splunk would parse it at search time using KV_Mode=json if the array wasn't wrapped in double quotes ```
                | spath input=_raw
            ]
    | fields - _time
    | fields + example, _raw, "Request.body", "Request.body{}.recordLocator"


Output looks something like this.

dtburrows3_0-1702690298873.png

It is also possible to still get those fields in your search pipeline if that is the route you want to go.

| makeresults
    | fields _ time
    | eval
        _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\", \\\"depStartDate\\\": \\\"2023-12-14T14:00:19.671Z\\\", \\\"depEndDate\\\": \\\"2023-12-15T09:20:19.671Z\\\" } ]\", \"hostname\": \"IT-SALI\" }",
        example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes"
    | spath input=_raw
    
    ``` This spath command should extract fields in "Request.body" fully and will be available with fieldnames formatted with a leading "{}" since it is an array ```
    | spath input=Request.body
    
    | fields + _raw, Request.body, "{}.*"

 
Snapshot of the expected output

dtburrows3_1-1702690494842.png


From here you can rename the funky "{}.*" fields by doing the SPL

| rename "{}.*" as *
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-16-2023 09:20 PM

Note that Request.body is an array, which is flattened as multivalue.  This means that the any field inside Request.body is also multivalued.  The code should handle this.  The most common method is to add mvexpand against the array.

 

| spath input=Request.body path={}
| mvexpand {}
| spath input={}

 

Using the same emulation @dtburrows3 provides, the output is

ParentIdRequest.bodyRequet.hostnameRequest.typedepEndDatedepStartDatarecordLocator{}
 [ { "recordLocator": "RYVBNQ", "depStartDate": "2023-12-14T14:00:19.671Z", "depEndDate": "2023-12-15T09:20:19.671Z" } ]IT-SALIRequestLogDTO2023-12-15T09:20:19.671Z2023-12-14T14:00:19.671ZRYVBNQ{ "recordLocator": "RYVBNQ", "depStartDate": "2023-12-14T14:00:19.671Z", "depEndDate": "2023-12-15T09:20:19.671Z" }

 

Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-15-2023 05:21 PM

one more questions pls...

are you able to use "spath" splunk command to view each json field separately?

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Spath

if yes, then, you can use regular expressions (rex) to search portion of the field u r looking to search. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...