Re: How to extract the first element from the JSON...

Chandra · ‎07-07-2023

I want to extract the json object based on a single field match from below string message.

payload ::[{"name","suman", "age":"22"},{"name","raman", "age":"32"}]

If the age is 22 then print {"name","suman", "age":"22"}

ITWhisperer · ‎07-07-2023

| rex "(?<nameage>\{\"name\",\"[^\"]+\", \"age\":\"22\"\})"

However, given that this is not valid JSON, you might want to change the first comma (,) to a colon (:) to match JSON format. You also might need to include some white spaces (\s) in the match strings. (Since you have obviously provided a dummy example, there may be other tweaks you need to make!)

yuanliu · ‎07-07-2023

Note your JSON illustration is invalid. I assume you meant

{"payload":[{"name":"suman", "age":"22"},{"name":"raman", "age":"32"}]}

(This means that you have fields like payload{}.name and payload{}.age.) You can use mvexpand then search, like

| spath path=payload{}
| mvexpand payload{}
| spath input=payload{}
| where age == "22"

Or, you can use mvfind with mvindex, like

| eval match_name = mvindex('payload{}.name', mvfind('payload{}.age', "22"))
| eval match = json_object("age", "22", "name", match_name)

How to extract the first element from the JSON element based on a field match?

rex

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation