Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract field from json array?

haobin
Explorer
‎11-24-2010 08:00 AM

If I have a log which is in JSON format and contains array in JSON, can Splunk extract values in this array? For example,

{"name": ["john", "mark", "abby"]}

how can I write a regular expression to parse this string and get the field like

name=john name=mark name=abby

Thank you.

Tags (1)
Reply

markmcd
Path Finder
‎07-25-2013 12:54 AM

After having played around with the 'jsonkv' tool in the 'jsonutils' app on SplunkBase, I got stuck on parsing array values.

Fortunately Splunk 5 has a search command 'spath' that does the job.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Spath

I had to extract the JSON component of my log entry into its own field and pass it to |spath input=raw_json, then the rest worked as documented.

Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-04-2011 03:08 AM

Here's the poor-man's method of extracting the multi-value array for the name field at search time. This example will strip any surrounding punctuation from the names. It assumes that your sourcetype is "jsonarray", and it will create a multi-valued field called 'name_mv' that contains the array elements.

PROPS.CONF:
[jsonarray]
REPORT-json = xf-jsonarray, xf-jsonmv

TRANSFORMS.CONF:
[xf-jsonarray]
REGEX  = \{"(?<_KEY_1>[^"]+)":\s\[(?<_VAL_1>[^\]]+)

[xf-jsonmv]
SOURCE_KEY = name
REGEX = ("?)(?<name_mv>[^,"]*)("?)(,\s*)?
MV_ADD = true

With the mv field created, you can then do searches that look for array elements, like:

sourcetype=jsonarray name_mv=abby

HTH
Ron

Reply

carasso
Splunk Employee
Splunk Employee
‎01-06-2011 07:00 PM

Splunk does not parse json at index time, and at search-time any sort of regex would do a half-hearted job, especially on your example where a value is a list.

There are two options:

1) The fastest option is to add a scripted input. For example, you can write a little python program to convert json to attr=val format and output the logs in a friendly format, before splunk is called: http://www.splunk.com/base/Documentation/latest/Admin/Setupcustom%28scripted%29inputs

2) Another option is to write a custom search command to do the conversion for you at search-time. It's slower, but allows you to tweak it as needed, and apply it only when you want -- http://www.splunk.com/base/Documentation/latest/SearchReference/Customsearchshape

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-04-2011 02:42 AM

Conveniently, someone has written some of these utilities and put them up on Splunkbase: http://splunkbase.splunk.com/apps/All/4.x/app:jsonutils

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...