Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: extracting value from complex JSON
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extracting value from complex JSON
Hi, need help on how to extract dat from this JSON.
i have used spath to extract a part of my JSON to get this data structure:
{
<"app name1">: {
"reason": "all ok",
"upstreams": 1,
"dialouts": {
"idle": 40,
"total": 40,
"connecting": 0
},
},
<"app name2": {
"reason": "all ok",
"upstreams": 2,
"dialouts": {
"idle": 15,
"total": 15,
"connecting": 0
},
},
<"app name3": {
"reason": "all ok",
"upstreams": 2,
"dialouts": {
"idle": 15,
"total": 15,
"connecting": 0
},
},
.....
}
what i want to do is to have a table to for each i have the idle, total and connecting from "dialouts":
how can i do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval _raw="{
\"app name1\": { \"reason\": \"all ok\", \"upstreams\": 1, \"dialouts\": { \"idle\": 40, \"total\": 40, \"connecting\": 0 }, },
\"app name2\": { \"reason\": \"all ok\", \"upstreams\": 2, \"dialouts\": { \"idle\": 15, \"total\": 15, \"connecting\": 0 }, },
\"app name3\": { \"reason\": \"all ok\", \"upstreams\": 2, \"dialouts\": { \"idle\": 15, \"total\": 15, \"connecting\": 0 }, }
}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex field=_raw max_match=0 "(?ms).*?(?<event>\"app name.*?},\s*\})(?=[\r\n\s\",]+(?:\}|app name))"
| mvexpand event
| rename event AS _raw
| eval _raw = "{" . _raw . "}"
| rex "(?<app_name>app[^\"]+)"
| rex mode=sed "s/app name\d+/app/"
| spath
| rename app.* AS *
| table app_name dialouts.*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can regex to extract 2 element:
- <"app name2" => save fields app_name
- { "reason": "all ok", "upstreams": 2, "dialouts": { "idle": 15, "total": 15, "connecting": 0 }, } => data_app_name
after, use
|spath input=data_app_name
, will extract all data values in data_app_name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you add the regex itself? not so strong in regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can write 2 regex:
1. extract app_name: https://regex101.com/r/vU0fJI/1
2. extract data: https://regex101.com/r/vU0fJI/3
I just thought of another way.
Can remove characters . It's example, if wrong syntax, please fix it.
| rex mode=sed "s/<//g"
| rex mode=sed "s/>//g"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
