Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple json in an event- How do I extract status in one event?

splunkuser320
Path Finder
‎07-13-2023 10:43 AM

I have multiple json coming in a single event and want to extract the status of one event. 

For example, I want the status of the event extract

{"event": "load", "id ":132", "status": "passed"}

{"event": "write", "id ":132", "status": "passed"}

{"event": "extract", "id ":132", "status": "passed"}

 

 

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-13-2023 12:11 PM

Seriously, beg/pester your developer to write events in proper JSON. (BTW, your illustration also contained extraneous quote after reach number.)  A lazy approach could be JSON array, like

 

{"event": [
  {"type": "load", "id ":132, "status": "passed"},
  {"type": "write", "id ":132, "status": "passed"},
  {"type": "extract", "id ":132, "status": "passed"}
 ]
}

 

This will give you something like

data
event{}.id
event{}.status
event{}.type
{"event": [ {"type": "load", "id ":132, "status": "passed"}, {"type": "write", "id ":132, "status": "passed"}, {"type": "extract", "id ":132, "status": "passed"} ] }
132
132
132
passed
passed
passed
load
write
extract

The multivalue fields are harder to process in Splunk, so you want to use spath and mvexpand to handle raw event

 

| spath path=event{}
| mvexpand event{}
| spath input=event{}

 

so you get single-value rows like

event{}idstatustype
{"type": "load", "id ":132, "status": "passed"}132passedload
{"type": "write", "id ":132, "status": "passed"}132passedwrite
{"type": "extract", "id ":132, "status": "passed"}132passedextract

But really, because the types do not overlap, they should be in nested key-value form

 

{"event":
 {
  "load": {"id":132, "status": "passed"},
  "write": {"id ":132, "status": "passed"},
  "extract": {"id ":132, "status": "passed"}
 }
}

 

This should give you

dataevent.extract.idevent.extract.statusevent.load.idevent.load.statusevent.write.idevent.write.status
{"event": { "load": {"id":132, "status": "passed"}, "write": {"id ":132, "status": "passed"}, "extract": {"id ":132, "status": "passed"} } }132passed132passed132passed

 

Lastly, JSON does not dictate order of nodes, or how texts are spaced, linewrapped, etc.  It is best not to avoid treating structured data as text.  So, before your developer yields to your persuasion, you can convert the bad event into compliant JSON array.  Not an ideal form but usable.

 

| rex mode=sed "s/^/[/ s/}/},/g s/,$/]/"
| spath path={}
| mvexpand {}
| spath input={}

 

This way, you get 

eventidstatus{}
load132passed{"event": "load", "id ":132, "status": "passed"}
write132passed{"event": "write", "id ":132, "status": "passed"}
extract132passed{"event": "extract", "id ":132, "status": "passed"}
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-13-2023 11:07 AM

 

| rex "event\"\s*:\s*\"extract\".+?status\"\s*:\s*\"(?<status>[^\"]+)"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...