Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract Json object as field?

karthi2809
Builder
‎03-04-2024 04:15 AM

Hi ,

How to extract the fields from below json logs.

Here we have fields like content.jobname and content.region .But i need to extract  content.payload details.how to extract the value.

 

 

"content" : {
    "jobName" : "PAY",
    "region" : "NZ",
    "payload" : [ {
      "Aresults" : [ {
        "count" : "6",
        "errorMessage" : null,
        "filename" : "9550044.csv"
      } ]
    }, {
      "Bresults" : [ {
        "count" : "6",
        "errorMessage" : null,
        "filename" : "9550044.csv"
      } ]
    } ]
  }

 

 

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-04-2024 04:27 AM

Hi 

As @richgalloway said, have you look command spath?

There are quite many old answers where are asked quite similar questions. Just use google/bing or what ever to find those.

r. Ismo

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2024 04:24 AM

What have you tried so far?  Did you try the spath command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

karthi2809
Builder
‎03-04-2024 09:34 AM

Yes i tried but in my case need to extract whole content.payload as one field.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2024 03:47 PM

The first step is to make sure the data is valid JSON because the spath command will not work with invalid JSON.  jsonlint.com rejected the sample object.

Here is a run-anywhere example that extracts payload as a single field.

| makeresults format=json data="[{\"content\" : {
    \"jobName\" : \"PAY\",
    \"region\" : \"NZ\",
    \"payload\" : [ {
      \"Aresults\" : [ {
        \"count\" : \"6\",
        \"errorMessage\" : null,
        \"filename\" : \"9550044.csv\"
      } ]
    }, {
      \"Bresults\" : [ {
        \"count\" : \"6\",
        \"errorMessage\" : null,
        \"filename\" : \"9550044.csv\"
      } ]
    } ]
  }}
  ]"
| spath output=payload content.payload{}
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...