Re: How to extract the first element from the JSON...

Chandra · ‎07-07-2023

I want to extract the json object based on a single field match from below string message.

payload ::[{"name","suman", "age":"22"},{"name","raman", "age":"32"}]

If the age is 22 then print {"name","suman", "age":"22"}

ITWhisperer · ‎07-07-2023

| rex "(?<nameage>\{\"name\",\"[^\"]+\", \"age\":\"22\"\})"

However, given that this is not valid JSON, you might want to change the first comma (,) to a colon (:) to match JSON format. You also might need to include some white spaces (\s) in the match strings. (Since you have obviously provided a dummy example, there may be other tweaks you need to make!)

yuanliu · ‎07-07-2023

Note your JSON illustration is invalid. I assume you meant

{"payload":[{"name":"suman", "age":"22"},{"name":"raman", "age":"32"}]}

(This means that you have fields like payload{}.name and payload{}.age.) You can use mvexpand then search, like

| spath path=payload{}
| mvexpand payload{}
| spath input=payload{}
| where age == "22"

Or, you can use mvfind with mvindex, like

| eval match_name = mvindex('payload{}.name', mvfind('payload{}.age', "22"))
| eval match = json_object("age", "22", "name", match_name)

How to extract the first element from the JSON element based on a field match?

rex

subsearch

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to extract the first element from the JSON element based on a field match?

rex

subsearch

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25