Re: Help extracting information from JSON file

UnaBizLeon · ‎09-20-2017

Json Format ↓
{
"device":"A123",
"data":"28745637",
"time":"1505924687",
}

"2874" = 28.74 , means tempurature , and "5637" = 56.37% humidity .

How to display as below↓

if ( tempurature > 25 & humidity >50)
{
display matching data ;
}

UnaBizLeon · ‎09-20-2017

Thanks , My problem has been successfully resolved !!

gokadroid · ‎09-20-2017

your query to return events
| rex "data\"\:\"(?<temp>\d{4})(?<humid>\d{4})"
| search temp>2500 and humid>5000

If you want the percentages to display then you can add following to above and table the evals.

    | eval temperature=round(temp/100,2)
    | eval humidity=round(humid/100, 2)
   | table temperature, humidity

sshelly_splunk · ‎09-20-2017

In transforms.conf (to extract temperature and humidity fields)

REGEX = "data":"(?P<temperature>\d{4})(?P<humidity>\d{4})

You can than do an eval like the following:
| eval temp=round(temperature/100, 2)

I'll keep poking around to see how to insert a decimal into the field, but not sure how to do that right now:)

DalJeanis · ‎09-20-2017

@sshelly - something like this should work. I don't believe the . needs escaped in the format.

[temp]
 REGEX = "data":"(\d{2})(\d{2}) 
 DEST_KEY = temperature
 FORMAT = \1.\2

[humid]
 REGEX = "data":"\d{4}(\d{2})(\d{2}) 
 DEST_KEY = humidity
 FORMAT = \1.\2

Help extracting information from JSON file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation