Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract value from JSON array of objects

AlexMcDuffMille
Communicator
‎08-18-2015 10:53 AM

I have a JSON object that has an array inside of it. The array is a list of objects, not just a list of values. See below for an example.

I want to extract the 'duration' field for each event when the name is 'responseTime'. Does anyone know how to do that? I can also assume that it's always going to be the 2nd entry in the list, so if I could do something like Timings[1] that would work. I can't seem to get spath to work because I'm looking for an item within an array.

In the end, I would like to do something like graph/table the duration of the 'providerTime' and the 'responseTime'

{
    Timings: [ 
      { 
         duration:  218 
         name:  providerTime
      } 
      { 
         duration:  204 
         name:  responseTime
      } 
    ] 
 }
Reply

somesoni2
Revered Legend
‎08-18-2015 03:17 PM

My answer will assume following
1) The data is ingested as proper JSON and you should be seeing multivalued field for your array elements (KV_MODE = json)
2) As you said, responseTime is the 2nd element in and it appears only one.

So try something like this

your base search  | table Timings{}.* | eval temp=mvzip('Timings{}.duration','Timings{}.name',"##") | eval ResponseTime=mvindex(split(mvfilter(match(temp,".*##responseTime")),"##"),0)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...