How to extract key-value pair from json object?

itnewbie · ‎08-14-2023

I have a JSON event like this:

{
...otherfields...,
"fields": {
  "id1": 123,
  "id2": 456,
  "id3": 789,
...
},
...otherfields...
}

I want to extract some key-value pairs from the "fields" object, i.e., I want to see the extracted fields in the "interesting fields" section.

For example, if I only want to extract id1 and id3, I should use

eval new_id1 = mvindex(fields.id1, 0)
eval new_id3 = mvindex(fields.id3, 0)

, right? Or is there another efficient way but not to use Foreach? I am new to the Splunk syntax so would appreciate any help.

yuanliu · ‎08-14-2023

mvindex wouldn't do anything to single valued fields.id1, fields.id3, etc. To limit fields of interest, use fields command.

| fields fields.id1 fields.id3

If you only want to display these fields in statistics tab, use table command.

ITWhisperer · ‎08-14-2023

Try something like this

| spath fields.id1 output="new_id1"
| spath fields.id3 output="new_id3"

N.B. The spath command is built for extracting fields from JSON (and XML) structured data.