Splunk Search

How to extract a JSON object which is in double quotes?

Kukkadapu
Path Finder

Hi, I've a JSON object logged into splunk in double quotes. What to do to extract the JSON object using spath. How do I ignore the double quotes before doing the spath.

2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id="1234565"
Json_object = "{

"requestId": "123",

"partnerId": "asd",

"date":"01/01/2015 14:00:00"

}"
tmepId ="123"

Thanks.

0 Karma
1 Solution

ohoppe
Path Finder

Hi,

here you go. The important bit is the line with the rex command. The rest of it I just used to simulate the event and present the result.

|stats count|eval count="2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id=\"1234565\"
Json_object = \"{
\"requestId\": \"123\",
\"partnerId\": \"asd\",
\"date\":\"01/01/2015 14:00:00\"
}\"
tmepId =\"123\""|

rex field=count "(?s)\"(?{.*})\""

|table count myjson|spath input=myjson

BR
Oliver

View solution in original post

ohoppe
Path Finder

Hi,

here you go. The important bit is the line with the rex command. The rest of it I just used to simulate the event and present the result.

|stats count|eval count="2016-01-20 17:40:38,076 INFO org.apache.log4j.Logger transaction_id=\"1234565\"
Json_object = \"{
\"requestId\": \"123\",
\"partnerId\": \"asd\",
\"date\":\"01/01/2015 14:00:00\"
}\"
tmepId =\"123\""|

rex field=count "(?s)\"(?{.*})\""

|table count myjson|spath input=myjson

BR
Oliver

Kukkadapu
Path Finder

Thanks Oliver. That worked:)

0 Karma

ohoppe
Path Finder

Very Welcome. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...