Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Parse nested json array without direct key-val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a json that looks like the following -
{
"id": "123",
"uri": "http://xyz.com/api",
"method": "POST",
"headers": [
"Accept: application/json",
"SERVICE.ENV: qa",
"SERVICE.NAME: someservice",
"CLIENT.ID: s0m3id",
"CLIENT_TYPE: typeA",
"CLIENT_IP:123.456.7.8"
],
"cookies": [],
"message": "Request Finished",
"status": 200
}
Within the headers section, I want to capture what all CLIENT_IPs are passing other header info such as SERVICE.ENV and SERVICE.NAME. The catch being, CLIENT_IP:123.456.7.8 is all in a single pair of quotes, so it isn't being parsed as a key value pair (as per my understanding). Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}"
| spath headers{} output=headers
| rex field=headers max_match=0 "(?<key>\w+):\s*(?<value>\S+)"
| eval _raw=mvzip(key,value,"=")
| kvThis query extracts header array.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello -
This looks like valid JSON. Have you tried setting KV_MODE=json in props.conf?
https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsea...
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@_gkollias - Thank you for the response.
And sorry I’m absolutely new to splunk which is why I was unaware for the KV_MODE. So once it’s specified, will I be able to query with the key such as CLIENT_ID?
I've been trying queries like -
index=my_service
| rename @fields.headers{}.* as *
| eval a = mvzip(CLIENT_IP,CLIENT.ID,"|")
| mvexpand a
| table CLIENT_IP,CLIENT.ID
And it is giving me empty table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}"
| spath headers{} output=headers
| rex field=headers max_match=0 "(?<key>\w+):\s*(?<value>\S+)"
| eval _raw=mvzip(key,value,"=")
| kvThis query extracts header array.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
