Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract elements of a json (not a json array)

weidertc
Contributor
‎09-19-2025 07:09 AM

I have a json from Grafana.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| spath input=json path=datasources{} output=datasources

 

the only other relative piece of information not shown above is some values within the inner braces themselves contain braces, so using a regex unfortunately hasn't worked.

I need to extract the elements of "dataSources", but the | spath is not working.

I need a multivalue field like this

\"ds_a\": {}
\"ds_b\": {}
\"ds_c\": {}

 

How can i do this when dataSources is not a [] ?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2025 12:05 PM 
| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
    [| eval array=if(isnull(array),"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>),mvappend(array,"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>)))]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2025 10:41 AM

You want a multivalued field with each field being a "crippled json"?

You could use json_keys() and then do some sort of foreach-based eval.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2025 12:05 PM 
| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
    [| eval array=if(isnull(array),"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>),mvappend(array,"\"".<<ITEM>>."\": ".json_extract(datasources,<<ITEM>>)))]
0 Karma
Reply
Solved! Jump to solution

weidertc
Contributor
‎09-24-2025 08:23 AM

thanks, this is it.

i updated it so it isn't "crippled" (per other comment) for those who need this instead.  it need not result in valid json for me.

| makeresults count=1
| eval json = "{
\"datasources\": {
\"ds_a\": {},
\"ds_b\": {},
\"ds_c\": {}
}
}"
| eval json_valid = if(json_valid(json), "Valid", "Invlaid")
| eval keys = json_keys(json)
| eval datasources = json_extract(json,json_array_to_mv(keys))
| eval datasources_keys = json_keys(datasources)
| eval mv_keys=json_array_to_mv(datasources_keys)
| foreach mode=multivalue mv_keys
[| eval array=if(isnull(array), "{\"".<<ITEM>>."\": ". json_extract(datasources,<<ITEM>>) . "}", mvappend(array,"{\"" . <<ITEM>> . "\": " . json_extract(datasources,<<ITEM>>) . "}"))]

 

 Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-19-2025 09:45 PM

This can be further simplified using the json_array mode of foreach.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| spath input=json path=datasources

| eval key = json_keys(datasources)
| foreach key mode=json_array
    [ eval object = mvappend(object, '<<ITEM>>' . ":" . spath(datasources, <<ITEM>>)) ]
Reply
Solved! Jump to solution

weidertc
Contributor
‎09-24-2025 08:29 AM

this also works well.

Adding in the surrounding {} for those who need the result as valid json.

| makeresults count=1
| eval json = "{
  \"datasources\": {
    \"ds_a\": {},
    \"ds_b\": {},
    \"ds_c\": {}
  }
}"
| spath input=json path=datasources

| eval key = json_keys(datasources)
| foreach key mode=json_array
    [ eval object = mvappend(object, "{\"" . <<ITEM>> . "\": " . spath(datasources, <<ITEM>>) . "}") ]

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...