Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract badly formatted JSON?

markangeltruema
Engager
‎02-17-2023 01:10 AM

Hi

I'm trying to extract some json values into tables for a dashboard. The log line that i'm using is something like the below

 

 

 

 username=myUser notificationPreferences=
[class NotificationPreferences { category=cat1, categoryDescription=category1  receiveEmailNotifications=false receiveSmsNotifications=false }, 
class NotificationPreferences { category=cat2 categoryDescription=category2 receiveEmailNotifications=false receiveSmsNotifications=true  }]

 

 

 

 

As you can see, its just a standard toString on a java class that the developers are outputting. What i want is a table of users and categories, with each category having the associated details, eg

User Category Email SMS
myUser1 Category1 false false
myUser1 Category2 false true
myUser2 Category1 true true

 

I started by trying to tidy up the json 

 

 

 

| rex field=notificationPreferences mode=sed "s/\[class NotificationPreferences/prefs:[ /g"
| rex field=notificationPreferences mode=sed "s/, class NotificationPreferences/, /g"

 

 

 

Which makes the notificationPreferences field a bit better

 

 

 

 username=myUser notificationPreferences=
prefs:[ { category=cat1, categoryDescription=category1  receiveEmailNotifications=false receiveSmsNotifications=false },{ category=cat2 categoryDescription=category2 receiveEmailNotifications=false receiveSmsNotifications=true  }]

 

 

 

But from here im struggling with what i need to do in terms of spath and extractions to get both categories to work. I only ever seem to get the first category to appear in my results.

Any help would be great

Thanks

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2023 02:34 AM

Given that the example string is so far from properly formatted JSON, you could try something like this

| makeresults 
| eval _raw=" username=myUser notificationPreferences=
[class NotificationPreferences { category=cat1, categoryDescription=category1  receiveEmailNotifications=false receiveSmsNotifications=false }, 
class NotificationPreferences { category=cat2 categoryDescription=category2 receiveEmailNotifications=false receiveSmsNotifications=true  }] "
``` Lines above just set up your sample data ```
| rex "(?ms)notificationPreferences=\s*\[(?<preferences>.*?)\]"
| rex field=preferences max_match=0 "class NotificationPreferences \{\s?(?<preference>.*?)\s?\}"
| mvexpand preference
| rename _raw as orig_raw
| rename preference as _raw
| extract pairdelim=", " kvdelim="="
| rename _raw as preference
| rename orig_raw as _raw
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...