rickygrimes
Reputation: 2716
Splunk extract nested fields from JSON string
I have the below JSON string, and I need to extract amount.dollarAmt. This is the query I tried but it's not working. What can I try next?
|rex "dollarAmt\"\:\"(?< dollarAmt >([^\"]+))" | spath output=dollarAmt path=amount. dollarAmt
"myId": "6836c64a-37b3-4991-96c7-c558e3d7d94c",
"storeId": "0",
"deptId": "9",
"eventPayload": {
"orderNumber": "13456",
"paymentMethod": [
{
"amount": {
"dollarAmt": 27.29,
"currencyUnit": "USD"
}
},
{
"actualAmt": {
"dollarAmt": 7.29,
"currencyUnit": "USD"
}
}
]
}
}
Upvotes: 1
Views: 1478
Answers (1)
RichG
Reputation: 9926
The spath command only works with valid JSON, which is not the case with the example data. Adding a leading { makes it work as in this run-anywhere example. If you use spath without arguments then you'll see how Splunk names the fields. Then you can specify the name in the path= argument.
| makeresults | eval _raw="{\"myId\": \"6836c64a-37b3-4991-96c7-c558e3d7d94c\",
\"storeId\": \"0\",
\"deptId\": \"9\",
\"eventPayload\": {
\"orderNumber\": \"13456\",
\"paymentMethod\": [
{
\"amount\": {
\"dollarAmt\": 27.29,
\"currencyUnit\": \"USD\"
}
},
{
\"actualAmt\": {
\"dollarAmt\": 7.29,
\"currencyUnit\": \"USD\"
}
}
]
}
}"
| spath output=dollarAmt path=eventPayload.paymentMethod{}.amount.dollarAmt
Upvotes: 2
Related Questions
- If condition to get userid from different fields from JSON
- Splunk search query to create a table from JSON search result
- Splunk escaped string regex to extract fields
- How to extract fields from an escaped JSON(nested) in splunk?
- JSON Extraction from Splunk log
- How to extract Key Value fields from Json string in Splunk
- How to extract fields from JSON string in Splunk
- Splunk extract fields from source
- Unable to extract JSON fields in Splunk