Solved: How to regex over nested jsons with foreach and re...

neuromantik · ‎01-25-2020

Hi everyone,

Currently I have a log record in the form of nested jsons, not arrays of jsons:

{"root_key": {"subkey_0": {nested json string}, ... , "subkey_N": {nested json string}}}

I want to extract some fields with rex from each subkey json string.
Is it possible somehow to accomplish this by foreach and rex?

Something like this pseudocode:

foreach subkey:
    (field_value_0, ... field_value_M) <--- rex(subkey json string)

The goal is to build the following list:

[
    [field_value_0, ... field_value_M],
    ...
    [field_value_0, ... field_value_M]
]

And to display it with table command.

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

View solution in original post

to4kawa · ‎01-25-2020

| makeresults 
| eval _raw="{\"root_key\": {\"subkey_0\": {a},\"subkey_1\": {b} , \"subkey_N\": {c}}}" 
| rex ":(?<json>.+)}$"
| rex field=json max_match=1000 ": \{(?<field_value>.+?)\}"

limits: 1000 objects. if you want more, change max_match args.

How to regex over nested jsons with foreach and rex?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to regex over nested jsons with foreach and rex?

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!