How to parse a string with special format into obj...

jvdev · ‎04-14-2022

Hi there,

I have trying to use spath to try to extract fields inside a string. Currently, the string has this format..

stringField=["fieldOne": "fieldValue", "fieldTwo": "fieldValue", "fieldThree": "fieldValue"]

So, my string inside has some kinda of array with key value pairs. I would to be able to extract those fields and values in a way that I can use their information for my queries.

I would like to be able to get the value of fieldOne by just calling the fieldOne variable/object to get it's value to perform my desire task/stats and so on..

I was trying something like... but no luck!

search... | spath input=stringField

search... | eval newVariable=spath(_raw,'stringField')

search... | spath

search... | spath path=stringField output=newField

The first option of just using input with the spath command only gave me back the first field inside my string. And it was listed as {} field.

I would really appreciate the help!

ITWhisperer · ‎04-15-2022

| eval stringField="{".trim(stringField,"[]")."}"
| spath input=stringField

How to parse a string with special format into objects or variables?

field extraction

fields

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!