Re: Failed to parse a JSON string

erwanlebaron · ‎09-25-2020

Hi

I get data from an CSV file and one of the filed imported is a JSON string called "Tags" which looks like that

Tags = {"tag1": "toto" "tag2": "tata" "tag4": "titi"} --> exemple for a line
Tags = {"tag3": "toto" "tag4": "tata"} --> exemple for another line

The delimitation between key and value is <colon>+<space>
The delimitation between two key+value is <space>

I tried

| spath input=Tags

but when I do

| table tag1, tag2, tag3, tag4

I get value only for tag1.

I tried to find a way to solve it by looking other topics but I do not succed.

I understood that my string is not correctly formatted like a "real" Json but I don't fin the command to convert my initialy field "Tags" into a correct Json format to apply the "spath" command

Is there anybody has an idea to do it

Thanks in adance

erwanlebaron · ‎09-25-2020

It works by doing that before the spath command

| eval Tags_json=replace(Tags,": ",":")
| eval Tags_json=replace(Tags_json,"\" \"","\",\"")

But it doesn't look very elegant...

There is a better solution ?

Failed to parse a JSON string

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Join the Conversation