Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract a JSON object which is in double quotes?

Kukkadapu
Path Finder
‎01-22-2016 02:43 PM

Hi, I've a JSON object logged into splunk in double quotes. What to do to extract the JSON object using spath. How do I ignore the double quotes before doing the spath.

2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id="1234565"
Json_object = "{

"requestId": "123",

"partnerId": "asd",

"date":"01/01/2015 14:00:00"

}"
tmepId ="123"

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ohoppe
Path Finder
‎01-27-2016 05:29 AM

Hi,

here you go. The important bit is the line with the rex command. The rest of it I just used to simulate the event and present the result.

|stats count|eval count="2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id=\"1234565\"
Json_object = \"{
\"requestId\": \"123\",
\"partnerId\": \"asd\",
\"date\":\"01/01/2015 14:00:00\"
}\"
tmepId =\"123\""|

rex field=count "(?s)\"(?{.*})\""

|table count myjson|spath input=myjson

BR
Oliver

View solution in original post

Reply
Solved! Jump to solution
Solution

ohoppe
Path Finder
‎01-27-2016 05:29 AM

Hi,

here you go. The important bit is the line with the rex command. The rest of it I just used to simulate the event and present the result.

|stats count|eval count="2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id=\"1234565\"
Json_object = \"{
\"requestId\": \"123\",
\"partnerId\": \"asd\",
\"date\":\"01/01/2015 14:00:00\"
}\"
tmepId =\"123\""|

rex field=count "(?s)\"(?{.*})\""

|table count myjson|spath input=myjson

BR
Oliver

Reply
Solved! Jump to solution

Kukkadapu
Path Finder
‎01-27-2016 08:26 AM

Thanks Oliver. That worked:)

0 Karma
Reply
Solved! Jump to solution

ohoppe
Path Finder
‎01-27-2016 08:30 AM

Very Welcome. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...