Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract multiple key values from a double quoted JSON?

baskarkrishnanc
Engager
‎10-04-2018 09:08 AM

I have data in splunk as following:

log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {"uniqueNumber": "12345", "key-2": "value-2",.. "key-n": "value-n", "returnCode": "A12"}

and I am trying to extract key values pairs from double quoted json as below:

myquery "response body from MYSERVICE" |  rex "\"uniqueNumber\":\s\"(?<unumber>.*)\"" |  rex "\"returnCode\":\s\"(?<retcode>.*)\"" | table unumber retcode

I am expecting to populate the below table:

+---------+---------+
| unumber | retcode |
+---------+---------+
|  123455 | A12     |
|  123456 | A10     |
|  123457 | A03     |
|  123458 | A01     |
+---------+---------+

There is a space between key value pairs after the colon which I tried to match using \s but it generates an empty table.
Any ideas ?

PS: I am using Splunk Enterprise 7.1.2.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎10-04-2018 09:36 AM

I tried this with small change in regex and it is working -
Try below run anywhere search-

| makeresults |eval _raw=" log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\",.. \"key-n\": \"value-n\", \"returnCode\": \"A12\"}"|  rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 01:46 PM

I made some more changes in regex and it works now. I had to escape the escape backslash as this is how Splunk showed as raw text like,\"returnCode\": \"A01\"}\n","stream":"stdout","time":"2018-12-06T22:01:43.653111599Z"}. Not sure why Splunk escapes this way and deferring this to experts.

Final query looks like
index=myidx "mysearchstring" "response body from MYSERVICE" | rex field=_raw "uniqueNumber[^\"]+\":\s*[^\"]+\"(?[^\\\"]+)" | rex field=_raw "returnCode[^\"]+\":\s*[^\"]+\"(?[^\\\"]+)" | table uniqueNumber Return_Code

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎10-04-2018 09:50 AM

you could also grab the json into a field and spath the results...

like so: 

| makeresults 
| eval _raw="[INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\", \"key-n\": \"value-n\", \"returnCode\": \"A12\"}" 
| rex field=_raw "response body from \w+ \: (?<json>\{.+\})$"
| spath input=json

outputs: 

**_time**           
2018-10-04 12:48:35

**_raw**  
[INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {"uniqueNumber": "12345", "key-2": "value-2", "key-n": "value-n", "returnCode": "A12"}

json
{"uniqueNumber": "12345", "key-2": "value-2", "key-n": "value-n", "returnCode": "A12"}  

**key-2**
value-2 

**key-n**
value-n 

**returnCode**
A12
0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 01:47 PM

I tried to use spath but I had to make more regex changes so I went with regex. Thank you for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎10-04-2018 09:36 AM

I tried this with small change in regex and it is working -
Try below run anywhere search-

| makeresults |eval _raw=" log:     [INFO ] 17:01:43.572 : [main] o.a.k.c.Processor:process(103): response body from MYSERVICE : {\"uniqueNumber\": \"12345\", \"key-2\": \"value-2\",.. \"key-n\": \"value-n\", \"returnCode\": \"A12\"}"|  rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)"
0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-04-2018 11:45 AM

Thank you. This works as-is, but if I add this regex to my query, it is not working. I need to specify the index and search query to make it dynamic, such as 

index=myidx "MYNEWSERVICE" "response body from MYSERVICE" | rex "\"uniqueNumber\":\s\"(?<unumber>[^\"]+)" |  rex "\"returnCode\":\s\"(?<retcode>[^\"]+)" | table retcode unumber

Is that possible to skip eval as I need to use dynamic query results ?

0 Karma
Reply
Solved! Jump to solution

baskarkrishnanc
Engager
‎10-05-2018 08:47 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎10-04-2018 08:47 PM

|makeresults was generating command used just to test sample data ...you will use rex command after index=...

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...