How to get particular field in splunk search for a nested JSON event-CodePudding

I am trying to extract this userid (which is part of applicationTags) field in Splunk.

Can someone please help.

Json:

json
{ [-]
   allocatedMB: -1
   allocatedMemorySeconds: 1546332
   allocatedVCores: -1
   allocatedVcoreSeconds: 273
   applicationId: application_1658075295053_0071
   applicationTags: [ [-]
     hive_20220718142121_632022dc-9399-4034-a45d-08042dfb4367
     userid=rajani
   ]
   attributes: { [-]
     diagnostics: Session stats:submittedDAGs=1, successfulDAGs=1, failedDAGs=0, killedDAGs=0

   }
   endTime: 2022-07-18T14:23:52.384Z
   mr2AppInformation: { [-]
   }
   name: HIVE-907b6fd3-aa12-4136-af66-9787fdec52c5
   pool: xxx
   progress: 100
   runningContainers: -1
   startTime: 2022-07-18T14:21:23.254Z
   state: FINISHED
   user: hive
}

CodePudding user response：

You can use the spath command of splunk:

... | spath output=myfield path=applicationTags{}.userid

More information and examples can be found in the official documentation: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath

CodePudding user response：

There are at least two approaches you can use

If your sourcetype's JSON is not being parsed properly by Splunk, this rex will pull it for you:

| rex field=_raw "userid=(?<userid>\w )"

If it is being parsed properly, then you can probably get it by a variation on the theme of:

| rename applicationTags{}.userid as userid

To get a full listing of the fields Splunk knows about for this sourcetype, use fieldsummary. Eg:

index=ndx sourcetype=srctp
| fieldsummary
| fields field values