×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mipa04
Engager
Member since: ‎05-27-2024
‎06-03-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-27-2024
Activity Feed
View All

Re: Extract json values from string json array

by in Splunk Search
‎06-02-2024 11:55 PM
‎06-02-2024 11:55 PM
Thanks for response, but unfortunately it doesn't work -  YOUR_SEARCH | eval tlogParameters = replace(tlogParameters, "'","\"") this doesn't change anything - ie tlogParameters is still displayed in raw as single quotes and surrounded by double quotes as original.  YOUR_SEARCH | eval tlogParameters = replace(tlogParameters, "'","\"") | eval _raw = tlogParameters  this makes empty result (the same as full query you proposed):   ... View more

Re: Extract json values from string json array

by in Splunk Search
‎05-31-2024 08:32 AM
‎05-31-2024 08:32 AM
I don't know if that it is in Event top level field matters, so I'm pasting screenshot of raw data. Field in question is tlogParameters ... View more

Re: Extract json values from string json array

by in Splunk Search
‎05-31-2024 05:49 AM
‎05-31-2024 05:49 AM
I pasted it the same as I see in splunk search results, field params is in double quotes, but inside there are single quotes. I know that json requires double quotes, but don't know if it is only matter of displaying in splunk search, or actually it is not proper json for splunk (source for this is database table, in which it is proper json array with double quotes) ... View more

Extract json values from string json array

by in Splunk Search
‎05-31-2024 04:35 AM
‎05-31-2024 04:35 AM
Hi, my splunk search results in two fields - Time and Event. Inside Event field there are multiple searchable fields, one of which is json array as string like this: params="[{'field1':'value1','field2':'value2','field3':'value3'}]" Above json array always has one json object like in example. I need to extract values for given fields from this json object - how can i do that? I figured spath is the way to do this, but none of solutions I found so far worked - maybe because all examples were operating on json as string only and in my case it is in Event as splunk shows in search - can you help? ... View more
Labels

Parsing string with whitespaces as json object

by in Splunk Search
‎05-27-2024 11:12 AM
‎05-27-2024 11:12 AM
Hi, I am completely new to splunk and have to parse field that looks like this: params="['field1: value1', 'field2: value2', 'field3: value3']" (note spaces after colons) - I have to extract field1, field2, field3 to be searchable - can you help with what query should I write? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-03-2024 08:07 AM