How to extract value from search response which ha...

aliosa · ‎08-24-2023

Hello

I am beginner with Splunk.
I made a query and my search result is like

text1 text2 text3 response: {
   "status":"UP",
   "object1":{
      "field1":"name1",
      "status":"UP"
   },
   "object2":{
      "field2":"name2",
      "status":"UP"
   },
   "object3":{
      "object4":{
         "field4":"name4",
         "status":"UP"
      },
      "object5":{
         "field5":"name5",
         "status":"UP"
      },
      "status":"UP"
   },
   "object6":{
      "field6":"name6",
      "status":"UP"
   }
}

I want to obtain the value for object3.status for a column of table.
How to do this ?
With rex field=_raw or spath ?

Thank you in advance.

aliosa · ‎08-24-2023

Hello
That json come in search response in multiple lines.
This is not working for me

rex "response: (?<response>.*)"
because response is "{".

Maybe rex should ignore new line characters (\n) to solve this situation.

and response would be all json {....}

aliosa · ‎08-25-2023

Hello
I use

| rex "response: (?s)(?<response>.*)"
| spath input=response object3{}.status output=status
| table response, status
and it works.

Any better idea ?

ITWhisperer · ‎08-25-2023

I have updated my response.

If it works, this is probably the easiest way to do it. Any other method is likely to be more complex.

aliosa · ‎08-26-2023

ok

thank you.

ITWhisperer · ‎08-24-2023

| rex "response: (?s)(?<response>.*)"
| spath input=response object3.status output=status
| table status

How to extract value from search response which has a text plus json?

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation