Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON nested field extraction

wilcomply13
Explorer
‎01-24-2022 11:43 AM

I have the following JSON:

{
    "kind": "report",
    "id": {
        "time": "2021-12-24T15:45:01.331Z",
    },
    "events": [
        {
            "parameters": [
                {
                    "name": "field1",
                    "boolValue": true
                },
                {
                    "name": "field2",
                    "boolValue": true
                },
                {
                    "name": "field3",
                    "value": "value3"
                },
                {
                    "name": "field4",
                    "value": "value4"
                },
                {
                    "name": "field5",
                    "boolValue": false
                },
                {
                    "name": "field6",
                    "value": "value6"
                },
                {
                    "name": "field7",
                    "value": "value7"
                },
                {
                    "name": "field8",
                    "boolValue": false
                },
                {
                    "name": "field9",
                    "value": "value9"
                },
                {
                    "name": "field10",
                    "boolValue": false
                },
                {
                    "name": "field11",
                    "boolValue": false
                }
            ]
        }
    ]
}

 

I'd like to marry the key/value pairing of name/value and name/boolValue with their corresponding values i.e. 

field1: true
field4: value4

I've attempted to use spath to extract values, but keep coming up short.

Labels (1)
Labels
0 Karma
Reply

johnhuang
Motivator
‎01-25-2022 11:55 PM

Try this:

| rex field=_raw max_match=0 "\"name\"\:\s?\"?(?<field_name>[^\"^,]*)\"?\,\s+\"\w+\"\:\s?\"?(?<field_value>[^\"^\n]*)"
| eval fields_list=mvzip(field_name, field_value, ":")
| eval _raw=mvjoin(mvzip(field_name, field_value, ":"),"|")
| extract pairdelim="=|",kvdelim=":"

 

Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-27-2022 02:26 AM

For structured data like JSON, I still prefer buildin SPL commands to custom regex so even badly formatted, but syntactically correct inputs do not ruin extraction.  The same idea can be implemented with spath, for example:

| rex mode=sed "s/boolValue/value/g" ``` treat boolValue just like string value ```
| rex mode=sed "s/\"\"/\"()\"/g" ``` compensate for spath's lack of zero-length standin ```
| spath
| rename events{}.parameters{}.* as field_*
``` johnhua's original code below ```
| eval _raw=mvjoin(mvzip(field_name, field_value, ":"),"|")
| extract pairdelim="=|",kvdelim=":"

A caveat with spath is that it doesn't have an option to provide a standin for zero-length string values, so I have to force a non-zero standin.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top