Splunk Search

Working with a json string

jwhughes58
Contributor

I've got a feed that is sending non-compliant json since spath doesn't work on it.  I put together this search

index=dlp sourcetype=sft:json "{"
| head 1
| eval data='{"time": "2023-07-21T19:10:48+00:00", "pid": 24086, "msec": 1689966648.059, "remote_addr": "aaa.bbb.ccc.ddd", "request_time": 0.005, "host": "sitename.noname.org", "remote_user": "-", "request_filtered": "GET /healthz HTTP/1.1", "status": 200, "body_bytes_sent": 13, "bytes_sent": 869, "request_length": 72, "http_referer_filtered": "", "http_user_agent": "-", "http_x_forwarded_for": "-", "context": "973235423dccda96a385ca21c133891632a28d91"}'
| spath input=data

I'm not seeing any value for data, thus nothing for the spath.  Do I need to do something special to the eval to get it to process?

TIA,

Joe

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Strings need to be in double quotes and embedded quotes need to be escaped

| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Strings need to be in double quotes and embedded quotes need to be escaped

| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...