Refine your search:

jsonutils

1

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

Provides commands for extracting fields from json structures.

jsonutils provides a pair of commands for extracting fields from json data in _raw. jsonkv is smaller and faster, will use less memory and may work on incomplete or invalid json. jsonkvrecursive will parse the json and create a field for every value, including arrays, but will only work on valid json.

jsonkv

jsonkv uses regular expressions to pull field values from a given json.

Examples:

Given this json:

{
  "glossary": {
    "title":"example glossary",
    "ID":"SGML",
    "SortAs":"SGML",
    "GlossTerm":"Standard Generalized Markup Language",
    "Acronym":"SGML",
    "Abbrev":"ISO 8879:1986",
    "GlossDef": {
      "para":"A meta-markup language, used to create markup languages such as DocBook."
    },
    "GlossSee":"markup"
  }
}

jsonkv
will extract the following fields:
title="example glossary"
ID="SGML"
SortAs="SGML"
GlossTerm="Standard Generalized Markup Language"
Acronym="SGML"
Abbrev="ISO 8879:1986"
para="A meta-markup language, used to create markup languages such as DocBook."
GlossSee="markup"

jsonkvrecursive

jsonkvrecursive recursively builds fields from the field name hierarchy.

Examples:

Given this json:

{
  "glossary": {
  "title": "example glossary",
  "GlossDiv": {
    "title": "S",
    "GlossList": {
      "GlossEntry": {
        "ID": "SGML",
        "SortAs": "SGML",
        "GlossTerm": "Standard Generalized Markup Language",
        "Acronym": "SGML",
        "Abbrev": "ISO 8879:1986",
        "GlossDef": {
          "para": "A meta-markup language, used to create markup languages such as DocBook.",
          "GlossSeeAlso": ["GML", "XML"]
        },
        "GlossSee": "markup"
        }
      }
    }
  }
}

produces:

glossary_title="example glossary"
glossary_GlossDiv_title="S"
glossary_GlossDiv_GlossList_GlossEntry_ID="SGML"
glossary_GlossDiv_GlossList_GlossEntry_SortAs="SGML"
glossary_GlossDiv_GlossList_GlossEntry_GlossTerm="Standard Generalized Markup Language"
glossary_GlossDiv_GlossList_GlossEntry_Acronym="SGML"
glossary_GlossDiv_GlossList_GlossEntry_Abbrev="ISO 8879:1986"
glossary_GlossDiv_GlossList_GlossEntry_GlossDef_para="A meta-markup language, used to create markup languages such as DocBook."
glossary_GlossDiv_GlossList_GlossEntry_GlossDef_GlossSeeAlso=["GML","XML"]
glossary_GlossDiv_GlossList_GlossEntry_GlossSee="markup"

Versions and Release Notes

Version 1.0 (current version - updated Dec 30, 2010)

posted 30 Dec '10, 18:12

vbumgarner's gravatar image

vbumgarner
1.8k210
accept rate: 23%

new version 30 Dec '10, 18:12

Be the first one to review!

Did you find this app useful?

Preview toggle preview

Details

This app is not covered by any support agreements in place with Splunk. If you have questions about the installation or operation of this app, please contact the author.

Version 1.0
Last Updated: Dec 30, 2010
Download Add-on
Author: vbumgarner
Version: 1.0
Splunk compatibility: 4.3, 4.2, 4.1, 4.x
Price: Free
License: Creative Commons BY 3.0
Downloads: 409

Follow this app

Log In to enable email subscriptions

RSS:

Reviews

Reviews + Comments

Related Apps

 
see all »
Copyright © 2005-2012 Splunk, Inc. All rights reserved.