I have json format Splunk search results like below :
"{
"Name": "RUNQDATA",
"RunId": "2021021701",
"Details": <{
"RunQID": "796562",
"TQID": "796562",
"Ent": {
"NAME": "Inv",
"Store": {
"NAME": "FSW",
"TYPE": "QUEUE",
"USERNAME": "abc"
}
},
"ADD_COUNT": "5740",
"UPDATE_COUNT": "0",
"DELETE_COUNT": "0"
}>,
"status": "success",
}"
How can I extract the fields like ADD_COUNT or UPDATE_COUNT from this ? I tried spath & other options , however not able to get the required results. Probably because the json contains <>.
Any help here is appreciated.
Confirmed. If the angle brackets are removed then the spath command will parse the whole thing. The spath command doesn't handle malformed JSON.
If you can't change the format of the event then you'll have to use the rex command to extract the fields as in this run-anywhere example
| makeresults
| eval _raw="{
\"Name\": \"RUNQDATA\",
\"RunId\": \"2021021701\",
\"Details\": <{
\"RunQID\": \"796562\",
\"TQID\": \"796562\",
\"Ent\": {
\"NAME\": \"Inv\",
\"Store\": {
\"NAME\": \"FSW\",
\"TYPE\": \"QUEUE\",
\"USERNAME\": \"abc\"
}
},
\"ADD_COUNT\": \"5740\",
\"UPDATE_COUNT\": \"0\",
\"DELETE_COUNT\": \"0\"
}>,
\"status\": \"success\",
}"
| rex "UPDATE_COUNT\": \"(?<UPDATE_COUNT>\d+)"
| rex "DELETE_COUNT\": \"(?<DELETE_COUNT>\d+)"