×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
danl
Explorer
Member since: ‎08-18-2020
‎08-19-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎08-18-2020
Activity Feed
Topics I've Started
View All

Re: Extracting a JSON boolean value

by in Splunk Search
‎08-19-2020 07:58 AM
‎08-19-2020 07:58 AM
I noticed when I tried your code - creating _raw, this worked. Note I fixed the "==" : | eval _raw="{\"build\":{\"build_id\":\"bubyut7oi7xlg\",\"cache\":{\"remote_enabled\":false}}}" | spath | eval check = if('build.cache.remote_enabled'=="false", "boolean", "string") | table check However when I use the _raw value (which is much larger than my small subset, it fails).  I knew the _raw text was large, but I checked and I was surprised to see it was  > 5K characters. I did try using spath with an input path to try and give it a more precise starting point, but I guess it doesn't work that way. So I'm sure that is why mine was failing.  Your initial suggestion works fine by testing with quoted "false"! To work around my problem,  I use this to extract the (fortunately unique) named value: index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg" | rex field=_raw "\"remote_enabled\":(?P<remote_enabled>[^,]*)" | table remote_enabled Thanks for your suggestions. It helped! ... View more

Re: Extracting a JSON boolean value

by in Splunk Search
‎08-18-2020 05:25 PM
‎08-18-2020 05:25 PM
thanks to4kawa. I tried your code, altering slightly for my search: index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg" | spath | eval check = if('build.cache.remote_enabled'="false", "boolean", "string") | table check I get "string" for the value of check. I'm running Splunk V7.2.7.3 and this is the raw text of the search result: { "build": { "build_id": "bubyut7oi7xlg", "cache": { "remote_enabled": false } } }   ... View more

Extracting a JSON boolean value

by in Splunk Search
‎08-18-2020 03:30 PM
‎08-18-2020 03:30 PM
I've been unable to get a boolean value extracted from JSON written to Splunk. The data looks like this:    build: {      build_id: bubyut7oi7xlg      cache: {        remote_enabled: false      }   } Here's my search: index=gradle_enterprise_export sourcetype="gradle-export-app" message=build_saved env="prod" build.build_id="bubyut7oi7xlg" | spath | rename build.cache.remote_enabled as remote | eval remote_cache = if(remote=="false", "false", "true") | table build.build_id remote_cache I've tried a number of different combinations for remote=="false" using no quotes, single quotes, different cases. I've also tried directly using build.cache.remote_enabled == "false". (though another another post says eval will concatenate fields. Even quoted, it makes no difference).  The result should be "false" and  is always "true": build.build_id     remote_cache bubyut7oi7xlg   true I've also used tostring() to show the remote_enabled value and it shows NULL. Any ideas? Are JSON boolean values supported? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-19-2020 01:53 PM
Karma given to
View All