Re: How to extract value from search response whic...

aliosa · ‎08-24-2023

Hello

I am beginner with Splunk.
I made a query and my search result is like

text1 text2 text3 response: {
   "status":"UP",
   "object1":{
      "field1":"name1",
      "status":"UP"
   },
   "object2":{
      "field2":"name2",
      "status":"UP"
   },
   "object3":{
      "object4":{
         "field4":"name4",
         "status":"UP"
      },
      "object5":{
         "field5":"name5",
         "status":"UP"
      },
      "status":"UP"
   },
   "object6":{
      "field6":"name6",
      "status":"UP"
   }
}

I want to obtain the value for object3.status for a column of table.
How to do this ?
With rex field=_raw or spath ?

Thank you in advance.

aliosa · ‎08-24-2023

Hello
That json come in search response in multiple lines.
This is not working for me

rex "response: (?<response>.*)"
because response is "{".

Maybe rex should ignore new line characters (\n) to solve this situation.

and response would be all json {....}

aliosa · ‎08-25-2023

Hello
I use

| rex "response: (?s)(?<response>.*)"
| spath input=response object3{}.status output=status
| table response, status
and it works.

Any better idea ?

ITWhisperer · ‎08-25-2023

I have updated my response.

If it works, this is probably the easiest way to do it. Any other method is likely to be more complex.

aliosa · ‎08-26-2023

ok

thank you.

ITWhisperer · ‎08-24-2023

| rex "response: (?s)(?<response>.*)"
| spath input=response object3.status output=status
| table status

How to extract value from search response which has a text plus json?

rex

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?

How to extract value from search response which has a text plus json?

rex

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap