Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Extract JSON format as fields?

karthi2809
Builder
‎02-23-2022 08:49 PM

Need to extract json file in fields

{

"AAA":

{

"modified_files": [ "\"b/C:\\\\/HEAD\"",

"\"b/C:\\\\/dev\"",

"\"b/C:\\\\HEAD\"" ]

},

"BBB":

{

"modified_files": [ "\"b/C:\\\\/HEAD\"",

"\"b/C:\\\\/dev\"",

"\"b/C:\\\\HEAD\"" ]

}

}

Expected Output as:

AAA,BBB is application name

eg:

Application: AAA

Thanks in advance

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-24-2022 11:52 PM

Is this something you are looking for?

 

| foreach *.modified_files{}
    [ eval application=mvappend(application,"<<MATCHSTR>>" . "|" . mvjoin('<<MATCHSTR>>.modified_files{}', "|"))]
| fields application
| mvexpand application
| eval application = split(application, "|")
| eval application.modified_files=mvindex(application,1,-1), application.name=mvindex(application,0)
| table application.*

 

Here, I assume that your indexed JSON has already been extracted, i.e., "flattened" into fields like AAA.modified_files{} and BBB.modified_files{}.  If not, add |spath to do so.

The sample input gives the following:

application.modified_files
application.name
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
AAA
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
BBB

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-24-2022 11:52 PM

Is this something you are looking for?

 

| foreach *.modified_files{}
    [ eval application=mvappend(application,"<<MATCHSTR>>" . "|" . mvjoin('<<MATCHSTR>>.modified_files{}', "|"))]
| fields application
| mvexpand application
| eval application = split(application, "|")
| eval application.modified_files=mvindex(application,1,-1), application.name=mvindex(application,0)
| table application.*

 

Here, I assume that your indexed JSON has already been extracted, i.e., "flattened" into fields like AAA.modified_files{} and BBB.modified_files{}.  If not, add |spath to do so.

The sample input gives the following:

application.modified_files
application.name
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
AAA
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
BBB
Reply
Solved! Jump to solution

karthi2809
Builder
‎02-28-2022 04:39 AM

 

@yuanliu In my json file i have another application which modified field is empty but now the application ccc is not extracting as application.

Thanks 

 

{
"AAA":
{
"modified_files": [ "\"b/C:\\\\/HEAD\"",
                    "\"b/C:\\\\/dev\"",
                    "\"b/C:\\\\HEAD\"" ]
},
"BBB":
{
"modified_files": [ "\"b/C:\\\\/HEAD\"",
                    "\"b/C:\\\\/dev\"",
                    "\"b/C:\\\\HEAD\"" ]
},
"CCC":
{
"modified_files": [
 ]
}
}

 

 

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-28-2022 09:32 AM

Splunk doesn't output anything with empty array (bug?).  In the past, I used sed to add a distinct string to represent empty arrays.  This will work if you accept the cost of extra extraction.

 

| rex mode=sed "s/\[\s*\]/[\"\"]/"
| spath
| foreach *.modified_files{}
    [ eval application=mvappend(application,"<<MATCHSTR>>" . "|" . mvjoin('<<MATCHSTR>>.modified_files{}', "|"))]
| fields application
| mvexpand application
| eval application = split(application, "|")
| eval application.modified_files=mvindex(application,1,-1), application.name=mvindex(application,0)
| table application.*

 

Here, AAA.modified_files{} and BBB.modified_files{} are already extracted when you do your search, but they are discarded.  They get extracted once more in SPL after you fake the empty array.

Output from sample data:

application.modified_files
application.name
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
AAA
"b/C:\/HEAD"
"b/C:\/dev"
"b/C:\HEAD"
BBB
 CCC
Tags (2)
Reply
Solved! Jump to solution

karthi2809
Builder
‎02-28-2022 08:53 PM

 @yuanliu  perfect Thanks.

0 Karma
Reply
Solved! Jump to solution

karthi2809
Builder
‎02-28-2022 03:43 AM

@yuanliu i have another query by using your query its giving dynamic fields and how can i get the  counts of the dynamic fields.

0 Karma
Reply
Solved! Jump to solution

venky1544
Builder
‎02-24-2022 08:36 AM

@karthi2809  Hey 

it could be that the JSON you pasted here is bit different than your original data. formats usually get changed like an added space or newlines when you copy paste if you could attach a sample file here probably can see why the query is not working and what is the sourcetype of your data is it _json ??

Reply
Solved! Jump to solution

venky1544
Builder
‎02-24-2022 04:35 AM

if you already ingested this data and have the sourcetype as _json 

you can use the following query 

sourcetype=_json |rex max_match=0 field=_raw "\"(?<application>\w+)\":\s\n"

 

venky1544_0-1645706100581.png

 

Reply
Solved! Jump to solution

karthi2809
Builder
‎02-24-2022 07:51 AM

@venky1544 Thanks for the solution .But i am not getting application name as fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...