Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Working with a json string

jwhughes58
Contributor
‎07-21-2023 01:14 PM

I've got a feed that is sending non-compliant json since spath doesn't work on it.  I put together this search

index=dlp sourcetype=sft:json "{"
| head 1
| eval data='{"time": "2023-07-21T19:10:48+00:00", "pid": 24086, "msec": 1689966648.059, "remote_addr": "aaa.bbb.ccc.ddd", "request_time": 0.005, "host": "sitename.noname.org", "remote_user": "-", "request_filtered": "GET /healthz HTTP/1.1", "status": 200, "body_bytes_sent": 13, "bytes_sent": 869, "request_length": 72, "http_referer_filtered": "", "http_user_agent": "-", "http_x_forwarded_for": "-", "context": "973235423dccda96a385ca21c133891632a28d91"}'
| spath input=data

I'm not seeing any value for data, thus nothing for the spath.  Do I need to do something special to the eval to get it to process?

TIA,

Joe

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2023 01:36 PM

Strings need to be in double quotes and embedded quotes need to be escaped

| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2023 01:36 PM

Strings need to be in double quotes and embedded quotes need to be escaped

| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...