Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract json values from string json array

mipa04
Engager
‎05-31-2024 04:35 AM

Hi, my splunk search results in two fields - Time and Event. Inside Event field there are multiple searchable fields, one of which is json array as string like this:
params="[{'field1':'value1','field2':'value2','field3':'value3'}]"

Above json array always has one json object like in example. I need to extract values for given fields from this json object - how can i do that? I figured spath is the way to do this, but none of solutions I found so far worked - maybe because all examples were operating on json as string only and in my case it is in Event as splunk shows in search - can you help?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2024 05:43 AM

This isn't JSON as JSON uses double quotes not single quotes. Please post an accurate representation of the field you want to extract the data from.

Having said that, you should look at the json functions new to 9.x as these would probably be the basis of a solution.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-31-2024 05:53 AM

I agree with @ITWhisperer . 

and your sample JSON looks like an array of objects also. So please share a masked event here.  

Meanwhile, I'm sharing a sample query so that you can start on the solution. 

| makeresults 
| eval params="[{'field1':'value1','field2':'value2','field3':'value3','field4':'value4'}]"
| rename comment as "upto now is sample data only"
| eval params = replace(params, "'","\"")
| eval _raw = params
| spath

 

I have handled a single quote here.   if you have valid JSON then just remove `| eval params = replace(params, "'","\"")` .

 

Thanks 
KV 

 

0 Karma
Reply

mipa04
Engager
‎05-31-2024 05:49 AM

I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only matter of displaying in splunk search, or actually it is not proper json for splunk (source for this is database table, in which it is proper json array with double quotes)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2024 08:13 AM

Rather than pasting search results, please paste the raw event data, preferably in a code block </> to preserve original formatting.

0 Karma
Reply

mipa04
Engager
‎05-31-2024 08:32 AM

I don't know if that it is in Event top level field matters, so I'm pasting screenshot of raw data. Field in question is tlogParameters

Screenshot 2024-05-31 172546.png

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-31-2024 09:22 AM

@mipa04 

I assume tlogParameters filed getting extracted properly.

Can you please try the below search?

YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"")
| eval _raw = tlogParameters
| spath 
| rename {}.* as *

 

My Sample Search :

| makeresults 
| eval tlogParameters="[{'triggeredEventName': 'CustomerLoggedIn', 'owner': 'communicationcenter', 'channel': 'SiteMessage', 'sentOrNotSent': 'Sent', 'reasonNotSent':null}]" | append [| makeresults 
| eval tlogParameters="[{'triggeredEventName': 'CustomerLoggedIn', 'owner': 'communicationcenter', 'channel': 'SiteMessage', 'sentOrNotSent': 'Sent', 'reasonNotSent':null}]"]
| rename comment as "upto now is sample data only"
| eval tlogParameters = replace(tlogParameters, "'","\"")
| eval _raw = tlogParameters
| spath 
| rename {}.* as *

 

Screenshot 2024-05-31 at 9.52.18 PM.png

 

 I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

mipa04
Engager
‎06-02-2024 11:55 PM

Thanks for response, but unfortunately it doesn't work - 

YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"")

this doesn't change anything - ie tlogParameters is still displayed in raw as single quotes and surrounded by double quotes as original. 

YOUR_SEARCH
| eval tlogParameters = replace(tlogParameters, "'","\"")
| eval _raw = tlogParameters

 this makes empty result (the same as full query you proposed):

Screenshot 2024-06-03 085459.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-03-2024 12:09 AM

Please paste the raw event data, preferably in a code block </> to preserve original formatting.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top