Today I Learned

Extract Fields From JSON Data in Splunk

The spath command enables you to extract information from structured data formats, XML and JSON. The command stores this information in one or more fields. The command also highlights the syntax in the displayed events list.

  1. Specify an output field and path

    This example shows how to specify a output field and path.

    ... | spath output=myfield path=foo.bar

  2. Specify an output field and path based on an array

    For example, you have this array.

    {
    "foo" : [1,2]
}

    To specify the output field and path, use this syntax.

    ... | spath output=myfield path=foo{1}

  3. Specify an output field and a path that uses a nested array

    For example, you have this nested array.

    {
    "foo" : {
        "bar" : [
            {"zoo" : 1},
            {"baz" : 2}
        ]
    }
}

    To specify the output and path from this nested array, use this syntax.

    ... | spath output=myfield path=foo.bar{}.baz

Source: Splunk Search Reference