Solved: Re: How to regex over nested jsons with foreach an...

neuromantik · ‎01-25-2020

Hi everyone,

Currently I have a log record in the form of nested jsons, not arrays of jsons:

{"root_key": {"subkey_0": {nested json string}, ... , "subkey_N": {nested json string}}}

I want to extract some fields with rex from each subkey json string.
Is it possible somehow to accomplish this by foreach and rex?

Something like this pseudocode:

foreach subkey:
    (field_value_0, ... field_value_M) <--- rex(subkey json string)

The goal is to build the following list:

[
    [field_value_0, ... field_value_M],
    ...
    [field_value_0, ... field_value_M]
]

And to display it with table command.

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

View solution in original post

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

How to regex over nested jsons with foreach and rex?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to regex over nested jsons with foreach and rex?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits