Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting fields from nested JSON event
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting fields from nested JSON event
kmaron
Motivator
12-03-2020
12:46 PM
I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped.
I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule.
My event looks like this:
{ [-]
clientSslProfiles: { [+]
}
deviceGroups: { [+]
}
httpProfiles: { [+]
}
iRules: { [-]
/Department/Shared/Department_HTML_rewrite_Rule: { [-]
application: Shared
events: { [-]
CLIENT_ACCEPTED: { [+]
}
HTML_TAG_MATCHED: { [+]
}
HTTP_REQUEST: { [+]
}
HTTP_RESPONSE: { [-]
aborts: 0
avgCycles: 28338
failures: 0
maxCycles: 1882653
minCycles: 8898
priority: 550
totalExecutions: 86269
}
}
name: /Department/Shared/Department_HTML_rewrite_Rule
tenant: Department
}
/Common/Office-Rule: { [+]
}
/Common/Debug-Rule: { [+]
.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-08-2020
12:30 AM
The command cannot be applied firmly because there is no log of _raw, but spath output= should be fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-08-2020
05:12 AM
I don't understand what you're saying. I need to pull out only the avgCycles and totalExecutions for every iRule, attached to the name of the iRule. but I do not know how many there are, or what they are named. spath is just the start. It doesn't do the extraction or allow me to isolate those fields when I don't know the iRule names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-08-2020
01:21 PM
I can't make a regular expression because you're only presenting the processed log. Also, there are no multiple logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-04-2020
11:00 PM
Why don't you spath and table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmaron
Motivator
12-07-2020
05:02 AM
@to4kawa I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named.
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
