×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
sammagana
Loves-to-Learn
Member since: ‎11-18-2020
‎11-20-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-18-2020
Activity Feed
Topics I've Started
View All

Parsing double nested JSON

by SplunkTrust in Splunk Search
‎11-21-2020 11:45 PM
‎11-21-2020 11:45 PM
if licenses field is already extracted and licenses field has value like below from the above events: { "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null } { "version": "v20", "vendor_daemon": "cstd", "expiration_date": "2021-07-16", "type": "floating", "parse_status": "SUCCESS", "parse_error": null }   then you can write simple props & transforms as below in search head to have fields from licenses set: props.conf     [yoursourcetype] REPORT-jsonextract = jsonextract     transforms.conf     [jsonextract] SOURCE_KEY=licenses REGEX=(?<_KEY_1>[^\"]+)\":\s+\"?(?<_VAL_1>[^(\"|\s+)?]+)      if licenses field is not extracted already then you need to follow below to extract licenses field props.conf     [yoursourcetype] REPORT-a_licensesextract = a_licensesextract REPORT-b_jsonextract = b_jsonextract     transforms.conf     [a_licensesextract] REGEX = licenses\":\s+\[(?<licenses>[^\]]+) FORMAT = licenses::$1 MV_ADD = true [b_jsonextract] SOURCE_KEY=licenses REGEX=(?<_KEY_1>[^\"]+)\":\s+\"?(?<_VAL_1>[^(\"|\s+)?]+)     ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-20-2020 05:59 PM