fromjson
Description
Converts JSON-formatted objects into multivalue fields. If you give the fromjson
command a single field name that points to proper JSON objects, fromjson
returns keys as fields and key values as field values.
Syntax
Required syntax is in bold.
- | fromjson<string>
- [ prefix=<string>]
Optional arguments
- prefix
- Syntax: prefix=<string>
- Description: Prepends a string to the fields that
fromjson
extracts from a JSON-formatted object. For example, includingprefix=my_
in the search addsmy_
to the beginning of field names in the results. - Default: none
Usage
The fromjson
command is a streaming command, which means that it turns JSON-formatted objects into fields as each JSON object is received. See Types of commands.
Examples
1. Expand a JSON object to create new fields
- Use the
fromjson
command to expand a JSON-formatted object and return the values in the search result. This example creates two new fields calledname
andage
, and outputs the corresponding values in the search results.
| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object
- The results look something like this.
_time age name object 2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}
2. Prepend the name of extracted fields
- You can use the optional argument
prefix
to prepend a string to fields extracted from a JSON-formatted object. This example creates two new fields calledjson_name
andjson_age
.
| makeresults | eval object=json_object("name", "Albert", "age", 63) | fromjson object prefix=my_
- The results look something like this.
_time my_age my_name object 2020-11-09 17:01:22 63 Albert {"name":"Albert", "age":63}
3. Expand nested JSON objects
- When you use
fromjson
to expand JSON-formatted objects into multivalue fields, you can retain the formatting of JSON objects by nesting them within the main object. In the following example, the object calledjson_obj
with the key-value pair "school" and "city", is nested within another JSON object calledobject
.
| makeresults | eval object=json_object("age", 19, "name", "Sally", "new", false(), "classes", json_array("math", "history", "science"), "another_json_object", json_object("school", "city"), "null", null)| fromjson object
- The results look something like this.
_time age another_json_obj classes name new object 2020-11-09 17:01:22 19 {"school":"city"} math history
scienceSally false {"age":19,"name":"Sally","new":false,"classes": ["math","history","science"],"another_json_object":{"school":"city"},"null":null}
See also
- Commands
- tojson
- Evaluation functions
- JSON functions
from | gauge |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 9.0.2208, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!