Why am I unable to extract all fields from a JSON ...

ibekacyril · ‎04-03-2016

I am trying to extract the key/value pairs in this Json field:

[DataJson={"Code":"Error","Reason":"Failed
to locate your record. Message [No
record]"}]

I tried doing this:

spath | rename Code AS Code, Reason AS Reason | table _time, Code, Reason

I only get values for _time, but not for Code and Reason. I would appreciate your help.

Thanks in advance

snoobzilla · ‎04-03-2016

Try extracting field of DataJson and then running spath on that field...

search with rex to extract DataJson | spath input=DataJson

Did not doublecheck syntax.

javiergn · ‎04-03-2016

I think spath doesn't like the format of your JSON field.
Try this instead:

your search here
| rex field=_raw "(?msi)^\[[^=]+=(?<my_json>.+)\]$"
| spath input=my_json 
| rename Code AS Code, Reason AS Reason 
| table _time, Code, Reason

ibekacyril · ‎04-03-2016

Still only returned values for _time

snoobzilla · ‎04-03-2016

Is the my_json field getting extracted correctly? Starting and ending with {}? If not you will need to tweak regex.

{"Code":"Error","Reason":"Failed to locate your record. Message [Norecord]"}

Why am I unable to extract all fields from a JSON event?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

Why am I unable to extract all fields from a JSON event?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events