Splunk Search

Multiple json in an event- How do I extract status in one event?

splunkuser320
Path Finder

I have multiple json coming in a single event and want to extract the status of one event. 

For example, I want the status of the event extract

{"event": "load", "id ":132", "status": "passed"}

{"event": "write", "id ":132", "status": "passed"}

{"event": "extract", "id ":132", "status": "passed"}

 

 

 

Labels (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Seriously, beg/pester your developer to write events in proper JSON. (BTW, your illustration also contained extraneous quote after reach number.)  A lazy approach could be JSON array, like

 

{"event": [
  {"type": "load", "id ":132, "status": "passed"},
  {"type": "write", "id ":132, "status": "passed"},
  {"type": "extract", "id ":132, "status": "passed"}
 ]
}

 

This will give you something like

data
event{}.id
event{}.status
event{}.type
{"event": [ {"type": "load", "id ":132, "status": "passed"}, {"type": "write", "id ":132, "status": "passed"}, {"type": "extract", "id ":132, "status": "passed"} ] }
132
132
132
passed
passed
passed
load
write
extract

The multivalue fields are harder to process in Splunk, so you want to use spath and mvexpand to handle raw event

 

| spath path=event{}
| mvexpand event{}
| spath input=event{}

 

so you get single-value rows like

event{}idstatustype
{"type": "load", "id ":132, "status": "passed"}132passedload
{"type": "write", "id ":132, "status": "passed"}132passedwrite
{"type": "extract", "id ":132, "status": "passed"}132passedextract

But really, because the types do not overlap, they should be in nested key-value form

 

{"event":
 {
  "load": {"id":132, "status": "passed"},
  "write": {"id ":132, "status": "passed"},
  "extract": {"id ":132, "status": "passed"}
 }
}

 

This should give you

dataevent.extract.idevent.extract.statusevent.load.idevent.load.statusevent.write.idevent.write.status
{"event": { "load": {"id":132, "status": "passed"}, "write": {"id ":132, "status": "passed"}, "extract": {"id ":132, "status": "passed"} } }132passed132passed132passed

 

Lastly, JSON does not dictate order of nodes, or how texts are spaced, linewrapped, etc.  It is best not to avoid treating structured data as text.  So, before your developer yields to your persuasion, you can convert the bad event into compliant JSON array.  Not an ideal form but usable.

 

| rex mode=sed "s/^/[/ s/}/},/g s/,$/]/"
| spath path={}
| mvexpand {}
| spath input={}

 

This way, you get 

eventidstatus{}
load132passed{"event": "load", "id ":132, "status": "passed"}
write132passed{"event": "write", "id ":132, "status": "passed"}
extract132passed{"event": "extract", "id ":132, "status": "passed"}
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| rex "event\"\s*:\s*\"extract\".+?status\"\s*:\s*\"(?<status>[^\"]+)"

 

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...