-1

I have some Splunk events that include a field named ResponseDetails. ResponseDetails is a JSON object that includes a child object with a property named results. results is an Array of objects that have a property named description. An example ResponseDetails looks like this:

{ {"results":[{"description":"Item was successfully added"}]} }

I'm only interested in the description. How do I retrieve the value of the description property of the results in the ResponseDetails and put it in a variable named "message"? I tried the following without success:

  | spath input=ResponseDetails output=message path=results{}.description

However, message is an empty string with the approach used above. What am I doing wrong?

Developer
  • 89
  • 1
  • 4

2 Answers2

0
| spath input=ResponseDetails
| rename ResponseDetails.results{}.description as message
| table message

spath command can extract the field as JSON then table command

The curly braces {} after the results key are used to specify that we want to match all elements in the results array. Without them spath will only match the first element of the results array

As correctly pointed by @RichG in comments, updating the code.

Ganesh Nemade
  • 1,504
  • 12
  • 17
  • The `table` command does not recognize an "as" argument. To rename the field, use the `rename` command. `| rename results{}.description as message | table message`. – RichG Apr 03 '23 at 17:26
  • Unfortunately, that approach did not extract the description as mentioned. – Developer Apr 04 '23 at 14:31
0

Try this (assuming ResponseDetails located at the root of event)

| spath input=_raw
path=ResponseDetails.results{0}.description
output=message
| table _time message
Hakan
  • 126
  • 5