Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I access nested JSON?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I access nested JSON?
tolikuznets
Engager
08-14-2018
06:42 PM
I have message that contains nested JSON inside which contains a message field that contains a Java exception
{xxxx: "some-fields-here",
message: {"logRecordType":"X",
"timestamp":"1533748762718","threadId":"42",,"message":"Background operation retry gave up
org.apache.zookeeper.KeeperException$SessionExpiredException: KeeperErrorCode = Session expired
at org.apache.zookeeper.KeeperException.create(KeeperException.java:127)
at org.apache.curator.framework.imps.CuratorFrameworkImpl.checkBackgroundRetry(CuratorFrameworkImpl.java:728)
at org.apache.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:516)
at org.apache.curator.framework.imps.GetChildrenBuilderImpl$2.processResult(GetChildrenBuilderImpl.java:166)
at org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:615)
at org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:519)"}
more-json-fields
}
How do I access the nested message field? tried different variations of using spath but was never able to get the nested message, only the top-level message.
Ideally, I'd want to replace \n with ; so that it wouldn't mess up my output downstream.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
08-14-2018
11:59 PM
@tolikuznets , try the following command
<yourCurrentSearch>
| rex "\"message\":\"(?<message>[^\"]+)"
Following is a run anywhere search based on your sample data:
| makeresults
| eval _raw="{xxxx: \"some-fields-here\", message: {\"logRecordType\":\"X\", \"timestamp\":\"1533748762718\",\"threadId\":\"42\",,\"message\":\"Background operation retry gave up org.apache.zookeeper.KeeperException$SessionExpiredException: KeeperErrorCode = Session expired at org.apache.zookeeper.KeeperException.create(KeeperException.java:127) at org.apache.curator.framework.imps.CuratorFrameworkImpl.checkBackgroundRetry(CuratorFrameworkImpl.java:728) at org.apache.curator.framework.imps.CuratorFrameworkImpl.processBackgroundOperation(CuratorFrameworkImpl.java:516) at org.apache.curator.framework.imps.GetChildrenBuilderImpl$2.processResult(GetChildrenBuilderImpl.java:166) at org.apache.zookeeper.ClientCnxn$EventThread.processEvent(ClientCnxn.java:615) at org.apache.zookeeper.ClientCnxn$EventThread.run(ClientCnxn.java:519)\"} }"
| rex "\"message\":\"(?<message>[^\"]+)"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
