index=index1 sourcetype=test1 |spath output=myfield path=Student{}.SubjectDetails{}.type |table myfield, Class
{
"Class": "11",
"date": "05/16/2016",
"Student": [
{
"RollNo": "1234",
"SubjectDetails": [
{
"type": "Mandatory",
"startTime": "05/16/2016 21:30",
"endTime": "05/16/2016 22:00",
"name": "English"
},
{
"type": "Optional",
"startTime": "05/16/2016 20:00",
"endTime": "05/16/2016 21:30",
"name": "Math"
}
]
}
]
}
the above splunk query can work if the result is only contains JSON but it will not work when before and after there text with before and after JSON Data.
got data from external x machine.
{
"Class": "11",
"date": "05/16/2016",
"Student": [
{
"RollNo": "1234",
"SubjectDetails": [
{
"type": "Mandatory",
"startTime": "05/16/2016 21:30",
"endTime": "05/16/2016 22:00",
"name": "English"
},
{
"type": "Optional",
"startTime": "05/16/2016 20:00",
"endTime": "05/16/2016 21:30",
"name": "Math"
}
]
}
]
}
got data from external x machine.
... View more