SPL Tricks: Dealing with Nested Name-Value Pairs in JSON
JSON is a fantastic logging format and Splunk has built in support for it. However, when dealing with JSON logs, there’s a certain field structure that can be a little tricky to manage:
The issue here is that Splunk will extract these fields as `name=foo` and `value=bar` by default. I’ve tried a couple different methods to pull specific fields out in the past but now I figured out clean way to extract all of them at once in search.
This method will add fields for all the dictionaries in the list for the name and value pairs.
Breaking this down
Use `mvzip` to combine each dictionary into a single field. The delimiter to join by will need to be unique in the values change `:` if needed.
Use `mvmap` to iterate over the values in the multivalued field and perform a `json_object` operation using the 0 index as the key name and the 1 index as the value.
Join the new JSON dictionaries into JSON formatted list.
Use `spath` to extract the JSON from the new field.
I’ve come across logs like this quite often, and I hope this solution proves useful to others facing the same problem. There are many powerful and creative ways to use `eval` functions and other commands in Splunk. I highly recommend taking the time to dig through the documentation whenever you’re faced with a problem in getting the results you want in Splunk. There’s often a command or technique that will provide the solution you need.
Full Test Search
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.
