Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract value from search response which has a text plus json?

aliosa
Loves-to-Learn Lots
‎08-24-2023 12:09 PM

Hello

I am beginner with Splunk.
I made a query and my search result is like 

 

 

text1 text2 text3 response: {
   "status":"UP",
   "object1":{
      "field1":"name1",
      "status":"UP"
   },
   "object2":{
      "field2":"name2",
      "status":"UP"
   },
   "object3":{
      "object4":{
         "field4":"name4",
         "status":"UP"
      },
      "object5":{
         "field5":"name5",
         "status":"UP"
      },
      "status":"UP"
   },
   "object6":{
      "field6":"name6",
      "status":"UP"
   }
}

 

 

I want to obtain the value for object3.status for a column of table.
How to do this ?
With rex field=_raw or spath ?

Thank you in advance.

Labels (1)
Labels
0 Karma
Reply

aliosa
Loves-to-Learn Lots
‎08-24-2023 11:11 PM

Hello
That json come in search response in multiple lines.
This is not working for me 

rex "response: (?<response>.*)"
because response is "{".

Maybe rex should ignore new line characters (\n) to solve this situation.

and response would be all json {....} 

 

0 Karma
Reply

aliosa
Loves-to-Learn Lots
‎08-25-2023 01:09 AM

Hello
I use 

| rex "response: (?s)(?<response>.*)"
| spath input=response object3{}.status output=status
| table response, status
and it  works.

Any better idea ?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-25-2023 01:50 AM

I have updated my response.

If it works, this is probably the easiest way to do it. Any other method is likely to be more complex.

0 Karma
Reply

aliosa
Loves-to-Learn Lots
‎08-26-2023 03:34 AM

ok

thank you.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 07:56 PM

 

| rex "response: (?s)(?<response>.*)"
| spath input=response object3.status output=status
| table status

 

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...