- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting fields from nested JSON event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting fields from nested JSON event
I have a very complex nested JSON event and need to extract 2 fields. I've managed it with less complicated ones but this one has be a bit stumped.
I need to get the avgCycles and totalExecutions for each iRule - keeping hold of the name of the iRule.
My event looks like this:
{ [-]
clientSslProfiles: { [+]
}
deviceGroups: { [+]
}
httpProfiles: { [+]
}
iRules: { [-]
/Department/Shared/Department_HTML_rewrite_Rule: { [-]
application: Shared
events: { [-]
CLIENT_ACCEPTED: { [+]
}
HTML_TAG_MATCHED: { [+]
}
HTTP_REQUEST: { [+]
}
HTTP_RESPONSE: { [-]
aborts: 0
avgCycles: 28338
failures: 0
maxCycles: 1882653
minCycles: 8898
priority: 550
totalExecutions: 86269
}
}
name: /Department/Shared/Department_HTML_rewrite_Rule
tenant: Department
}
/Common/Office-Rule: { [+]
}
/Common/Debug-Rule: { [+]
.....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The command cannot be applied firmly because there is no log of _raw, but spath output= should be fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand what you're saying. I need to pull out only the avgCycles and totalExecutions for every iRule, attached to the name of the iRule. but I do not know how many there are, or what they are named. spath is just the start. It doesn't do the extraction or allow me to isolate those fields when I don't know the iRule names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't make a regular expression because you're only presenting the processed log. Also, there are no multiple logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don't you spath and table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa I can spath but I have no idea how many iRules there will be per event or what they are named, and I don't know how many event types there will be or what they are named.
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Tech Talk | One Log to Rule Them All
Splunk Security Content for Threat Detection & Response, Q1 Roundup
