Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract elements of a json (not a json array)

weidertc
Contributor
4 weeks ago

I have a json from Grafana.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| spath input=json path=datasources{} output=datasources

 

the only other relative piece of information not shown above is some values within the inner braces themselves contain braces, so using a regex unfortunately hasn't worked.

I need to extract the elements of "dataSources", but the | spath is not working.

I need a multivalue field like this

\"ds_a\": {}
\"ds_b\": {}
\"ds_c\": {}

 

How can i do this when dataSources is not a [] ?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago 
| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
    [| eval array=if(isnull(array),"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>),mvappend(array,"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>)))]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

You want a multivalued field with each field being a "crippled json"?

You could use json_keys() and then do some sort of foreach-based eval.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago 
| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
    [| eval array=if(isnull(array),"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>),mvappend(array,"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>)))]
0 Karma
Reply
Solved! Jump to solution

weidertc
Contributor
3 weeks ago

thanks, this is it.

i updated it so it isn't "crippled" (per other comment) for those who need this instead.  it need not result in valid json for me.

| makeresults count=1
| eval json = "{
\"datasources\": {
\"ds_a\": {},
\"ds_b\": {},
\"ds_c\": {}
}
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
[| eval array=if(isnull(array), "{\"".<<ITEM>>."\": ". json_extract(datasources,<<ITEM>>) . "}", mvappend(array,"{\"" . <<ITEM>> . "\": " . json_extract(datasources,<<ITEM>>) . "}"))]

 

 Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

This can be further simplified using the json_array mode of foreach.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| spath input=json path=datasources

| eval key = json_keys(datasources)
| foreach key mode=json_array
    [ eval object = mvappend(object, '<<ITEM>>' . ":" . spath(datasources, <<ITEM>>)) ]
Reply
Solved! Jump to solution

weidertc
Contributor
3 weeks ago

this also works well.

Adding in the surrounding {} for those who need the result as valid json.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| spath input=json path=datasources

| eval key = json_keys(datasources)
| foreach key mode=json_array
    [ eval object = mvappend(object, "{\"" . <<ITEM>> . "\": " . spath(datasources, <<ITEM>>) . "}") ]

 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...