Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract multiple key values from a double quoted JSON?

baskarkrishnanc
Engager
‎10-04-2018 09:08 AM

I have data in splunk as following:

log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {"uniqueNumber": "12345", "key-2": "value-2",.. "key-n": "value-n", "returnCode": "A12"}

and I am trying to extract key values pairs from double quoted json as below:

myquery "response body from MYSERVICE" |  rex "\"uniqueNumber\":\s\"(?<unumber>.*)\"" |  rex "\"returnCode\":\s\"(?<retcode>.*)\"" | table unumber retcode

I am expecting to populate the below table:

+---------+---------+
| unumber | retcode |
+---------+---------+
|  123455 | A12     |
|  123456 | A10     |
|  123457 | A03     |
|  123458 | A01     |
+---------+---------+

There is a space between key value pairs after the colon which I tried to match using \s but it generates an empty table.
Any ideas ?

PS: I am using Splunk Enterprise 7.1.2.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎10-04-2018 09:36 AM

I tried this with small change in regex and it is working -
Try below run anywhere search-

| makeresults |eval _raw=" log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\",.. \"key-n\": \"value-n\", \"returnCode\": \"A12\"}"|  rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 01:46 PM

I made some more changes in regex and it works now. I had to escape the escape backslash as this is how Splunk showed as raw text like,\"returnCode\": \"A01\"}\n","stream":"stdout","time":"2018-12-06T22:01:43.653111599Z"}. Not sure why Splunk escapes this way and deferring this to experts.

Final query looks like
index=myidx "mysearchstring" "response body from MYSERVICE" | rex field=_raw "uniqueNumber[^\"]+\":\s*[^\"]+\"(?[^\\\"]+)" | rex field=_raw "returnCode[^\"]+\":\s*[^\"]+\"(?[^\\\"]+)" | table uniqueNumber Return_Code

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎10-04-2018 09:50 AM

you could also grab the json into a field and spath the results...

like so: 

| makeresults 
| eval _raw="[INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\", \"key-n\": \"value-n\", \"returnCode\": \"A12\"}" 
| rex field=_raw "response body from \w+ \: (?<json>\{.+\})$"
| spath input=json

outputs: 

**_time**           
2018-10-04 12:48:35

**_raw**  
[INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {"uniqueNumber": "12345", "key-2": "value-2", "key-n": "value-n", "returnCode": "A12"}

json
{"uniqueNumber": "12345", "key-2": "value-2", "key-n": "value-n", "returnCode": "A12"}  

**key-2**
value-2 

**key-n**
value-n 

**returnCode**
A12
0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 01:47 PM

I tried to use spath but I had to make more regex changes so I went with regex. Thank you for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎10-04-2018 09:36 AM

I tried this with small change in regex and it is working -
Try below run anywhere search-

| makeresults |eval _raw=" log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\",.. \"key-n\": \"value-n\", \"returnCode\": \"A12\"}"|  rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)"
0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 11:45 AM

Thank you. This works as-is, but if I add this regex to my query, it is not working. I need to specify the index and search query to make it dynamic, such as 

index=myidx "MYNEWSERVICE" "response body from MYSERVICE" | rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)" | table retcode unumber

Is that possible to skip eval as I need to use dynamic query results ?

0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-05-2018 08:47 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎10-04-2018 08:47 PM

|makeresults was generating command used just to test sample data ...you will use rex command after index=...

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...