Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parse nested json array without direct key-value mapping

rashmeet
Explorer
‎07-16-2020 05:28 PM

Hi, 

I have a json that looks like the following - 

{
"id": "123",
"uri": "http://xyz.com/api",
"method": "POST",
"headers": [
"Accept: application/json",
"SERVICE.ENV: qa",
"SERVICE.NAME: someservice",
"CLIENT.ID: s0m3id",
"CLIENT_TYPE: typeA",
"CLIENT_IP:123.456.7.8"
],
"cookies": [],
"message": "Request Finished",
"status": 200
}

Within the headers section, I want to capture what all CLIENT_IPs are passing other header info such as SERVICE.ENV and SERVICE.NAME. The catch being, CLIENT_IP:123.456.7.8 is all in a single pair of quotes, so it isn't being parsed as a key value pair (as per my understanding). Please help. 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-17-2020 11:32 AM 
index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}"
| spath headers{} output=headers
| rex field=headers max_match=0 "(?<key>\w+):\s*(?<value>\S+)"
| eval _raw=mvzip(key,value,"=")
| kv

This query extracts header array.

View solution in original post

Reply
Solved! Jump to solution

_gkollias
Builder
‎07-16-2020 07:01 PM

Hello - 

This looks like valid JSON. Have you tried setting KV_MODE=json in props.conf?

https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsea... 

Thanks!

0 Karma
Reply
Solved! Jump to solution

rashmeet
Explorer
‎07-17-2020 09:41 AM

 

 

0 Karma
Reply
Solved! Jump to solution

rashmeet
Explorer
‎07-16-2020 08:48 PM

@_gkollias  - Thank you for the response. 
And sorry I’m absolutely new to splunk which is why I was unaware for the KV_MODE. So once it’s specified, will I be able to query with the key such as CLIENT_ID? 

I've been trying queries like - 

index=my_service
| rename @fields.headers{}.* as *
| eval a = mvzip(CLIENT_IP,CLIENT.ID,"|")
| mvexpand a
| table CLIENT_IP,CLIENT.ID

And it is giving me empty table.

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-17-2020 11:32 AM 
index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}"
| spath headers{} output=headers
| rex field=headers max_match=0 "(?<key>\w+):\s*(?<value>\S+)"
| eval _raw=mvzip(key,value,"=")
| kv

This query extracts header array.

Reply
Solved! Jump to solution

rashmeet
Explorer
‎07-17-2020 02:58 PM

@to4kawa  - Thank you, that does help, much appreciated. 🙂

 


 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...