Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting fields from nested JSON event

kmaron
Motivator
‎12-03-2020 12:46 PM

I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped.

I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule. 

My event looks like this:

 

 

{ [-]
   clientSslProfiles: { [+]
   }
   deviceGroups: { [+]
   }
   httpProfiles: { [+]
   }
   iRules: { [-]
     /Department/Shared/Department_HTML_rewrite_Rule: { [-]
       application: Shared
       events: { [-]
         CLIENT_ACCEPTED: { [+]
         }
         HTML_TAG_MATCHED: { [+]
         }
         HTTP_REQUEST: { [+]
         }
         HTTP_RESPONSE: { [-]
           aborts: 0
           avgCycles: 28338
           failures: 0
           maxCycles: 1882653
           minCycles: 8898
           priority: 550
           totalExecutions: 86269
         }
       }
       name: /Department/Shared/Department_HTML_rewrite_Rule
       tenant: Department
     }
     /Common/Office-Rule: { [+]
     }
     /Common/Debug-Rule: { [+]
.....

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-08-2020 12:30 AM

The command cannot be applied firmly because there is no log of _raw, but spath output= should be fine.

0 Karma
Reply

kmaron
Motivator
‎12-08-2020 05:12 AM

I don't understand what you're saying.   I need to pull out only the avgCycles and totalExecutions for every iRule, attached to the name of the iRule.  but I do not know how many there are, or what they are named. spath is just the start. It doesn't do the extraction or allow me to isolate those fields when I don't know the iRule names. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-08-2020 01:21 PM

I can't make a regular expression because you're only presenting the processed log. Also, there are no multiple logs.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-04-2020 11:00 PM

Why don't you spath and table?

0 Karma
Reply

kmaron
Motivator
‎12-07-2020 05:02 AM

@to4kawa  I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...