Splunk® Enterprise

Search Reference

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

fromjson

Description

Converts JSON-formatted objects into multivalue fields. If you give the fromjson command a single field name that points to proper JSON objects, fromjson returns keys as fields and key values as field values.

Syntax

Required syntax is in bold.

| fromjson<string>
[ prefix=<string>]

Optional arguments

prefix
Syntax: prefix=<string>
Description: Prepends a string to the fields that fromjson extracts from a JSON-formatted object. For example, including prefix=my_ in the search adds my_ to the beginning of field names in the results.
Default: none

Usage

The fromjson command is a streaming command, which means that it turns JSON-formatted objects into fields as each JSON object is received. See Types of commands.

Examples

1. Expand a JSON object to create new fields

Use the fromjson command to expand a JSON-formatted object and return the values in the search result. This example creates two new fields called name and age, and outputs the corresponding values in the search results.

| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object

The results look something like this.
_time age name object
2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}

2. Prepend the name of extracted fields

You can use the optional argument prefix to prepend a string to fields extracted from a JSON-formatted object. This example creates two new fields called json_name and json_age.

| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object prefix=my_

The results look something like this.
_time my_age my_name object
2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}

3. Expand nested JSON objects

When you use fromjson to expand JSON-formatted objects into multivalue fields, you can retain the formatting of JSON objects by nesting them within the main object. In the following example, the object called json_obj with the key-value pair "school" and "city", is nested within another JSON object called object.

| makeresults | eval object=json_object("age", 19, "name", "Sally", "new", false(), "classes", json_array("math", "history", "science"), "another_json_object", json_object("school", "city"), "null", null)| fromjson object

The results look something like this.
_time age another_json_obj classes name new object
2020-11-09 17:01:22 19 {"school":"city"} math

history
science

Sally false {"age":19,"name":"Sally","new":false,"classes":

["math","history","science"],"another_json_object":{"school":"city"},"null":null}

See also

Commands
tojson
Evaluation functions
JSON functions
Last modified on 13 February, 2023
from   gauge

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters