Reputation: 97
Extract a field from nested json in a splunk query
This is the data I have:
{ "a":"1",
"b":2,
"c": { "x":"3", "y":"4",}
}
let's suppose I have tons of events in that format. What I want to do is to write a query that will only extract "x"s from all events. I don't want anything else to be returned, just the "x"s.
I've tried multiple examples and I went through pages of documentation and yet I still did not succeed with this, there must be something I'm missing. Please advise.
Upvotes: 0
Views: 2564
Answers (2)
Reputation: 9926
This query works for me. Note the missing comma after the "y" value. Splunk will produce unexpected results if the JSON is not valid.
| makeresults
| eval _raw="{ \"a\":\"1\",
\"b\":2,
\"c\": { \"x\":\"3\", \"y\":\"4\"}
}"
| spath output=foo path=c.x
| table foo
Upvotes: 0
Reputation: 9926
It would help to know what you've tried so far and how those attempts failed to meet expectations.
Have you tried the rex command?
| rex max_match=0 "\\\"x\\\":\\\"(?<x>[^\\\"]+)"
The forest of backslashes is needed to escape the embedded quotation marks through multiple parsers.
Upvotes: 0
Related Questions
- In Splunk, Need to Pull Data from Nested JSON Array in an Array
- How to build a Splunk query that extracts data from a JSON array?
- How to extract fields from an escaped JSON(nested) in splunk?
- Splunk : Extracting the elements from JSON structure as separate fields
- Extract some fields from a part json part text log in Splunk
- How to extract Key Value fields from Json string in Splunk
- Splunk query to get field from JSON cell
- How to extract fields from JSON string in Splunk
- Querying about field with JSON type value
- Extracting values from json in Splunk using spath