Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a particular field and value from JSON data in Splunk?

khandelwaly
Explorer
‎12-12-2020 10:37 AM

We have the below data, out of which I wanted to extract a particular field and value from the json format.

 

PLATFORMINSTRUMENTS {“timestamp”:“1607797705",“instrumentList”:[{“name”:“dbcp.numIdle”,“value”:“100”},{“name”:“entity.versions.total”,“value”:“66137”}{“name”:“http.session.objects”,“value”:“2443”},{“name”:“dbcp.numActive”,“value”:“0”},
{“name”:“http.sessions”,“value”:“544”},
{“name”:“dbcp.maxActive”,“value”:“-1”}]}

 

expected output:

dbcp.numActive : 0 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2020 11:41 AM

Assuming you have already got or can get your JSON into a field (I have used _raw in this example) and that it is properly formatted (your text doesn't use proper double-quotes and you are missing a comma between two parts of your list), you could do something like this.

| makeresults | eval _raw="{\"timestamp\":\"1607797705\",\"instrumentList\":[{\"name\":\"dbcp.numIdle\",\"value\":\"100\"},{\"name\":\"entity.versions.total\",\"value\":\"66137\"},{\"name\":\"http.session.objects\",\"value\":\"2443\"},{\"name\":\"dbcp.numActive\",\"value\":\"0\"},
{\"name\":\"http.sessions\",\"value\":\"544\"},
{\"name\":\"dbcp.maxActive\",\"value\":\"-1\"}]}"
| spath input=_raw
| rename "instrumentList{}.name" as name "instrumentList{}.value" as value
| eval namevalue=mvzip(name, value, ":")
| fields - _raw _time name value
| mvexpand namevalue
| rex field=namevalue "(?<name>[^:]+):(?<value>.+)"
| fields - namevalue
| where name="dbcp.numActive"
| eval {name}=value

I wasn't sure if you wanted the name and value in different fields or a field named as the name with the value in it so I have shown both.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2020 11:41 AM

Assuming you have already got or can get your JSON into a field (I have used _raw in this example) and that it is properly formatted (your text doesn't use proper double-quotes and you are missing a comma between two parts of your list), you could do something like this.

| makeresults | eval _raw="{\"timestamp\":\"1607797705\",\"instrumentList\":[{\"name\":\"dbcp.numIdle\",\"value\":\"100\"},{\"name\":\"entity.versions.total\",\"value\":\"66137\"},{\"name\":\"http.session.objects\",\"value\":\"2443\"},{\"name\":\"dbcp.numActive\",\"value\":\"0\"},
{\"name\":\"http.sessions\",\"value\":\"544\"},
{\"name\":\"dbcp.maxActive\",\"value\":\"-1\"}]}"
| spath input=_raw
| rename "instrumentList{}.name" as name "instrumentList{}.value" as value
| eval namevalue=mvzip(name, value, ":")
| fields - _raw _time name value
| mvexpand namevalue
| rex field=namevalue "(?<name>[^:]+):(?<value>.+)"
| fields - namevalue
| where name="dbcp.numActive"
| eval {name}=value

I wasn't sure if you wanted the name and value in different fields or a field named as the name with the value in it so I have shown both.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...