Re: Json within Json in a modular input...

jet · ‎08-17-2022

I have a modular input to write to Splunk using

event = Event()

event.data = json.dumps(data)

ew.write_event(event)

This all works fine except that in some event.data records there is a detail field that also contains data in json format which is written to Splunk as a string.

How do I perform field extraction and index the data contained in the one detail field which is json within json?

yuanliu · ‎08-17-2022

As I often remind people, it is much easier for others to help if they can see sample data.

The answer to your question really depends on how the JSON string is escaped. In the simplest situation, spath is sufficient. In the following example, field c is already conformant.

| spath input=c

_raw	a	b	c	i1	i2
{"a":1,"b":2,"c":"{\"i1\":4,\"i2\":5}"}	1	2	{"i1":4,"i2":5}	4	5

jet · ‎08-17-2022

Thanks!

In the attached simple example, the detail field contains json which ideally I would like indexed....

yuanliu · ‎08-17-2022

All you need is to replace input=c with input=detail in my sample code, i.e.,

| spath input=detail

jet · ‎08-18-2022

Spoiler

Awesome! Is there anyway to set that as a default from a modular input?

yuanliu · ‎08-18-2022

By modular input you mean a sourcetype and such? No. (Maybe you can submit as an idea at ideas.splunk.com. There was another very recent question of a similar nature.)

How do I perform field extraction and index the data contained in the one detail field which is json within json?

field extraction

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application