Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I parse a log containing multiple JSON records?

yk010123
Path Finder
‎10-04-2022 08:07 AM

I have the following log: 

 

 

Requests over Threshold found: {"kv":{"top_requests":[{"operation_name":"get","last_dispatch_duration_us":136231,"last_remote_socket":"xx","last_local_id":"67B57F7300000001/00000000C1E2DBA3","last_local_socket":"xxx:37894","total_dispatch_duration_us":136231,"total_server_duration_us":3,"operation_id":"0x127f1","timeout_ms":250,"last_server_duration_us":3,"total_duration_us":136516},{"operation_name":"get","last_dispatch_duration_us":135914,"last_remote_socket":"xxx","last_local_id":"67B57F7300000001/00000000C1E2DBA3","last_local_socket":"xxx:37894","total_dispatch_duration_us":135914,"total_server_duration_us":15,"operation_id":"0x127e9","timeout_ms":250,"last_server_duration_us":15,"total_duration_us":135985},{"operation_name":"get","last_dispatch_duration_us":135827,"last_remote_socket":"xxx.xxx:11210","last_local_id":"67B57F7300000001/000000006A92D90B","last_local_socket":"xxx:59306","total_dispatch_duration_us":135827,"total_server_duration_us":15,"operation_id":"0x127e7","timeout_ms":250,"last_server_duration_us":15,"total_duration_us":135946}],"total_count":3}}

 

 

How can I parse this? 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2022 10:04 AM

Depending on what you want - assuming you are just looking at top_requests, you could do something like this

| rex "Requests over Threshold found: (?<json>.*)"
| spath input=json kv.top_requests{} output=top_requests
| mvexpand top_requests
| spath input=top_requests

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2022 09:24 AM 
| rex "Requests over Threshold found: (?<json>.*)"
| spath input=json
Reply
Solved! Jump to solution

yk010123
Path Finder
‎10-04-2022 09:33 AM

How can I format this to a table? 

Is this the right approach? 

 

rex "Requests over Threshold found: (?<json>.*)"| spath input=json
| table kv.*
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2022 09:35 AM

It depends on what you are trying to achieve

Reply
Solved! Jump to solution

yk010123
Path Finder
‎10-04-2022 09:48 AM

I am trying to show all the fields in a table format so I can sort and analyze them

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2022 10:04 AM

Depending on what you want - assuming you are just looking at top_requests, you could do something like this

| rex "Requests over Threshold found: (?<json>.*)"
| spath input=json kv.top_requests{} output=top_requests
| mvexpand top_requests
| spath input=top_requests
Reply
Solved! Jump to solution

yk010123
Path Finder
‎10-04-2022 10:06 AM

I would like to show all the fields from the JSON in a table format such that we have field=value

0 Karma
Reply
Solved! Jump to solution

yk010123
Path Finder
‎10-04-2022 10:11 AM

If we have multiple entries in the JSON, it should create individual rows

0 Karma
Reply
Solved! Jump to solution

yk010123
Path Finder
‎10-04-2022 10:13 AM

Perhaps this? 

 

| spath input=json kv.top_requests{} output=top_requests | mvexpand top_requests
| spath input=top_requests
| table operation_name last_dispatch_duration_us last_remote_socket last_local_id last_local_socket total_dispatch_duration_us total_server_duration_us operation_id timeout_ms last_server_duration_us total_duration_us
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...