Re: Failed to parse a JSON string

erwanlebaron · ‎09-25-2020

Hi

I get data from an CSV file and one of the filed imported is a JSON string called "Tags" which looks like that

Tags = {"tag1": "toto" "tag2": "tata" "tag4": "titi"} --> exemple for a line
Tags = {"tag3": "toto" "tag4": "tata"} --> exemple for another line

The delimitation between key and value is <colon>+<space>
The delimitation between two key+value is <space>

I tried

| spath input=Tags

but when I do

| table tag1, tag2, tag3, tag4

I get value only for tag1.

I tried to find a way to solve it by looking other topics but I do not succed.

I understood that my string is not correctly formatted like a "real" Json but I don't fin the command to convert my initialy field "Tags" into a correct Json format to apply the "spath" command

Is there anybody has an idea to do it

Thanks in adance

erwanlebaron · ‎09-25-2020

It works by doing that before the spath command

| eval Tags_json=replace(Tags,": ",":")
| eval Tags_json=replace(Tags_json,"\" \"","\",\"")

But it doesn't look very elegant...

There is a better solution ?

Failed to parse a JSON string

field extraction

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Failed to parse a JSON string

field extraction

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0