Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting a JSON boolean value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been unable to get a boolean value extracted from JSON written to Splunk. The data looks like this:
build: {
build_id: bubyut7oi7xlg
cache: {
remote_enabled: false
}
}
Here's my search:
index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| spath
| rename build.cache.remote_enabled as remote
| eval remote_cache = if(remote=="false", "false", "true")
| table build.build_id remote_cache
I've tried a number of different combinations for remote=="false" using no quotes, single quotes, different cases. I've also tried directly using build.cache.remote_enabled == "false". (though another another post says eval will concatenate fields. Even quoted, it makes no difference). The result should be "false" and is always "true":
build.build_id remote_cache
bubyut7oi7xlg true
I've also used tostring() to show the remote_enabled value and it shows NULL.
Any ideas? Are JSON boolean values supported?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed when I tried your code - creating _raw, this worked. Note I fixed the "==" :
| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'=="false", "boolean", "string")
| table check
However when I use the _raw value (which is much larger than my small subset, it fails). I knew the _raw text was large, but I checked and I was surprised to see it was > 5K characters. I did try using spath with an input path to try and give it a more precise starting point, but I guess it doesn't work that way. So I'm sure that is why mine was failing. Your initial suggestion works fine by testing with quoted "false"!
To work around my problem, I use this to extract the (fortunately unique) named value:
index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex field=_raw "\"remote_enabled\":(?P<remote_enabled>[^,]*)"
| table remote_enabled
Thanks for your suggestions. It helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal | head 1 | fields _raw
| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'="false","boolean","string")
| table *
| build.build_id | build.cache.remote_enabled | check | _raw |
| bubyut7oi7xlg | false | boolean | {"build":{"build_id":"bubyut7oi7xlg","cache":{"remote_enabled":false}}} |
my splunk is ver 8.0.3. there is no problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks to4kawa. I tried your code, altering slightly for my search:
index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| spath
| eval check = if('build.cache.remote_enabled'="false", "boolean", "string")
| table check
I get "string" for the value of check. I'm running Splunk V7.2.7.3 and this is the raw text of the search result:
{
"build": {
"build_id": "bubyut7oi7xlg",
"cache": {
"remote_enabled": false
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worth watching below video if you are beginner in regular expressions.
Can share _raw to give you correct regex?
formatted json may have special characters which will not appear here.
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow, that's interesting.
workaround:
index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex mode=sed "s/false/\"false\"/g s/true/\"true\"/g"
| spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed when I tried your code - creating _raw, this worked. Note I fixed the "==" :
| eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}"
| spath
| eval check = if('build.cache.remote_enabled'=="false", "boolean", "string")
| table check
However when I use the _raw value (which is much larger than my small subset, it fails). I knew the _raw text was large, but I checked and I was surprised to see it was > 5K characters. I did try using spath with an input path to try and give it a more precise starting point, but I guess it doesn't work that way. So I'm sure that is why mine was failing. Your initial suggestion works fine by testing with quoted "false"!
To work around my problem, I use this to extract the (fortunately unique) named value:
index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg"
| rex field=_raw "\"remote_enabled\":(?P<remote_enabled>[^,]*)"
| table remote_enabled
Thanks for your suggestions. It helped!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
