Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting a JSON boolean value

danl
Explorer
‎08-18-2020 03:30 PM

I've been unable to get a boolean value extracted from JSON written to Splunk. The data looks like this:

   build: {
     build_id: bubyut7oi7xlg
     cache: {
       remote_enabled: false
     }
  }

Here's my search:

index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| spath
| rename build.cache.remote_enabled as remote
| eval remote_cache = if(remote=="false", "false", "true")
| table build.build_id remote_cache

I've tried a number of different combinations for remote=="false" using no quotes, single quotes, different cases. I've also tried directly using build.cache.remote_enabled == "false". (though another another post says eval will concatenate fields. Even quoted, it makes no difference).  The result should be "false" and  is always "true":

build.build_id     remote_cache
bubyut7oi7xlg   true

I've also used tostring() to show the remote_enabled value and it shows NULL.

Any ideas? Are JSON boolean values supported?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danl
Explorer
‎08-19-2020 07:58 AM

I noticed when I tried your code - creating _raw, this worked. Note I fixed the "==" :

| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'=="false", "boolean", "string")
| table check

However when I use the _raw value (which is much larger than my small subset, it fails).  I knew the _raw text was large, but I checked and I was surprised to see it was  > 5K characters. I did try using spath with an input path to try and give it a more precise starting point, but I guess it doesn't work that way. So I'm sure that is why mine was failing.  Your initial suggestion works fine by testing with quoted "false"!

To work around my problem,  I use this to extract the (fortunately unique) named value:

index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex field=_raw "\"remote_enabled\":(?P<remote_enabled>[^,]*)"
| table remote_enabled

Thanks for your suggestions. It helped!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-18-2020 04:42 PM

 

index=_internal | head 1 | fields _raw
| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'="false","boolean","string")
| table *

 

build.build_id build.cache.remote_enabled check _raw
bubyut7oi7xlgfalseboolean{"build":{"build_id":"bubyut7oi7xlg","cache":{"remote_enabled":false}}}

my splunk is ver 8.0.3. there is no problem.

0 Karma
Reply
Solved! Jump to solution

danl
Explorer
‎08-18-2020 05:25 PM

thanks to4kawa. I tried your code, altering slightly for my search:

index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| spath
| eval check = if('build.cache.remote_enabled'="false", "boolean", "string")
| table check

I get "string" for the value of check. I'm running Splunk V7.2.7.3 and this is the raw text of the search result:

{
"build": {
"build_id": "bubyut7oi7xlg",
"cache": {
"remote_enabled": false
}
}
}

 

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-18-2020 07:41 PM

worth watching below video if you are beginner in regular expressions.

Regular expressions in Splunk 

Can share _raw to give you correct regex?

formatted json may have special characters which will not appear here.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-18-2020 05:34 PM

wow, that's interesting.

workaround:

index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex mode=sed "s/false/\"false\"/g s/true/\"true\"/g"
| spath

Reply
Solved! Jump to solution
Solution

danl
Explorer
‎08-19-2020 07:58 AM

I noticed when I tried your code - creating _raw, this worked. Note I fixed the "==" :

| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'=="false", "boolean", "string")
| table check

However when I use the _raw value (which is much larger than my small subset, it fails).  I knew the _raw text was large, but I checked and I was surprised to see it was  > 5K characters. I did try using spath with an input path to try and give it a more precise starting point, but I guess it doesn't work that way. So I'm sure that is why mine was failing.  Your initial suggestion works fine by testing with quoted "false"!

To work around my problem,  I use this to extract the (fortunately unique) named value:

index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex field=_raw "\"remote_enabled\":(?P<remote_enabled>[^,]*)"
| table remote_enabled

Thanks for your suggestions. It helped!

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top