fromjson
Description
Converts JSON-formatted objects into multivalue fields. If you give the fromjson
command a single field name that points to proper JSON objects, fromjson
returns keys as fields and key values as field values.
Syntax
Required syntax is in bold.
- | fromjson<string>
- [ prefix=<string>]
Optional arguments
- prefix
- Syntax: prefix=<string>
- Description: Prepends a string to the fields that
fromjson
extracts from a JSON-formatted object. For example, includingprefix=my_
in the search addsmy_
to the beginning of field names in the results. - Default: none
Usage
The fromjson
command is a streaming command, which means that it turns JSON-formatted objects into fields as each JSON object is received. See Types of commands.
Examples
1. Expand a JSON object to create new fields
- Use the
fromjson
command to expand a JSON-formatted object and return the values in the search result. This example creates two new fields calledname
andage
, and outputs the corresponding values in the search results.
| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object
- The results look something like this.
_time age name object 2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}
2. Prepend the name of extracted fields
- You can use the optional argument
prefix
to prepend a string to fields extracted from a JSON-formatted object. This example creates two new fields calledjson_name
andjson_age
.
| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object prefix=my_
- The results look something like this.
_time my_age my_name object 2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}
3. Expand nested JSON objects
- When you use
fromjson
to expand JSON-formatted objects into multivalue fields, you can retain the formatting of JSON objects by nesting them within the main object. In the following example, the object calledjson_obj
with the key-value pair "school" and "city", is nested within another JSON object calledobject
.
| makeresults | eval object=json_object("age", 19, "name", "Sally", "new", false(), "classes", json_array("math", "history", "science"), "another_json_object", json_object("school", "city"), "null", null)| fromjson object
- The results look something like this.
_time age another_json_obj classes name new object 2020-11-09 17:01:22 19 {"school":"city"} math history
scienceSally false {"age":19,"name":"Sally","new":false,"classes": ["math","history","science"],"another_json_object":{"school":"city"},"null":null}
See also
- Commands
- tojson
- Evaluation functions
- JSON functions
from | gauge |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!