Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expand json string into searchable fields

murad
Observer
‎12-15-2023 04:40 PM

Hi
Kinda a new to splunk . Sending data to splunk via HEC. Its a DTO which contains various fields, one of them being requestBody which is a string and it contains the JSON Payload my end point is receiving. When viewing the log event within splunk, the requestBody stays as string. I was hoping that it could be expanded so that the json fields could be searchable. 

As you can see, when i click on "body", the whole line is selected. I am hoping for , for example, "RYVBNQ" to be individually selectable so that i can do searches against that. 

murad_0-1702687096243.png

 

Labels (3)
Labels
0 Karma
Reply

dtburrows3
Builder
‎12-15-2023 05:35 PM

Looks like the HEC event is sending the "Request.body" field as a string literal and splunks KV_MODE=json (or INDEXED_EXTRACTION=json) is extracting it that way. 

It should be possible to extract it from there still but if you want it extracted at search time you may need to either adjust the source sending the data to send "Request.body" as a valid json array or set up a calculated field in props.conf to get the desired fields extracted (regex is also an option using props/transforms)

Here is some SPL of simulated data to give an example of what I think is going on and how Splunk is extracting the fields.

| makeresults
    | eval
        _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\" } ]\", \"hostname\": \"IT-SALI\" }",
        example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes"
    | spath input=_raw
    | append
        [
            | makeresults
                | eval
                    _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": [ { \"recordLocator\": \"RYVBNQ\" } ], \"hostname\": \"IT-SALI\" }",
                    example="Example 2: JSON Payload sent with 'Request.body{}' as a json array (no quotes)"
                ``` The spath below would better represent how splunk would parse it at search time using KV_Mode=json if the array wasn't wrapped in double quotes ```
                | spath input=_raw
            ]
    | fields - _time
    | fields + example, _raw, "Request.body", "Request.body{}.recordLocator"


Output looks something like this.

dtburrows3_0-1702690298873.png

It is also possible to still get those fields in your search pipeline if that is the route you want to go.

| makeresults
    | fields _ time
    | eval
        _raw="{\"ParentId\": \"\", \"Request\": {\"type\": \"RequestLogDTO\", \"body\": \"[ { \\\"recordLocator\\\": \\\"RYVBNQ\\\", \\\"depStartDate\\\": \\\"2023-12-14T14:00:19.671Z\\\", \\\"depEndDate\\\": \\\"2023-12-15T09:20:19.671Z\\\" } ]\", \"hostname\": \"IT-SALI\" }",
        example="Example 1: JSON Payload sent with 'Request.body{}' as a string wrapped in quotes"
    | spath input=_raw
    
    ``` This spath command should extract fields in "Request.body" fully and will be available with fieldnames formatted with a leading "{}" since it is an array ```
    | spath input=Request.body
    
    | fields + _raw, Request.body, "{}.*"

 
Snapshot of the expected output

dtburrows3_1-1702690494842.png


From here you can rename the funky "{}.*" fields by doing the SPL

| rename "{}.*" as *
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-16-2023 09:20 PM

Note that Request.body is an array, which is flattened as multivalue.  This means that the any field inside Request.body is also multivalued.  The code should handle this.  The most common method is to add mvexpand against the array.

 

| spath input=Request.body path={}
| mvexpand {}
| spath input={}

 

Using the same emulation @dtburrows3 provides, the output is

ParentIdRequest.bodyRequet.hostnameRequest.typedepEndDatedepStartDatarecordLocator{}
 [ { "recordLocator": "RYVBNQ", "depStartDate": "2023-12-14T14:00:19.671Z", "depEndDate": "2023-12-15T09:20:19.671Z" } ]IT-SALIRequestLogDTO2023-12-15T09:20:19.671Z2023-12-14T14:00:19.671ZRYVBNQ{ "recordLocator": "RYVBNQ", "depStartDate": "2023-12-14T14:00:19.671Z", "depEndDate": "2023-12-15T09:20:19.671Z" }

 

Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-15-2023 05:21 PM

one more questions pls...

are you able to use "spath" splunk command to view each json field separately?

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Spath

if yes, then, you can use regular expressions (rex) to search portion of the field u r looking to search. 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...