Splunk Event JSON to Table

Question

In splunk I have an event that contains JSON data indicating the status of a list of feature toggles. It looks like this

2023-01-05 15:59:00,025 INFO  [com.example.FeatureToggleRepository] (executor-thread-4) {correlationId=efe2d0be-a4bc-4555-9ef3-cc640a107208, sampled=true, spanId=b200d532717a1a3b, traceId=020c59784f3f5624917ccf12defbc00a} {"featureToggles":[{"id":1,"updatedAt":"2023-01-05T14:59:00.010+00:00","createdAt":"2023-01-05T14:59:00.010+00:00","feature":"FEATURE_1","enabled":true},{"id":12,"updatedAt":"2023-01-05T14:52:46.614+00:00","createdAt":"2023-01-05T14:52:46.614+00:00","feature":"SOME_FEATURE","enabled":true}]}

How can I extract that and present it in a table with columns for id, feature and enabled?

I have tried countless examples, but just cant seem to get it to work.

Thank you.

EDIT:

This is what I wound up doing

...query...
| rex field=_raw max_match=0 "id\W+(?<id>\d+)"
| rex field=_raw max_match=0 "updatedAt\W+(?<updated>[^\"]+)"
| rex field=_raw max_match=0 "createdAt\W+(?<created>[^\"]+)"
| rex field=_raw max_match=0 "feature\W+(?<feature>[^\"]+)"
| rex field=_raw max_match=0 "enabled\W+(?<enabled>\w+)"
| eval an_event=mvzip(mvzip(mvzip(mvzip(id,updated,";"),created,";"),feature,";"),enabled,";")
| fields - id updated created feature enabled
| mvexpand an_event
| rex field=an_event "(?<id>[^;]+);(?<updated>[^;]+);(?<created>[^;]+);(?<feature>[^;]+);(?<enabled>.+)"
| table id feature enabled

Answer 1

I suspect something like the following will work - but you're better off either getting this data as proper JSON (so Splunk handles it natively), or fixing your props.conf and transforms.conf

| rex field=_raw max_match=0 "id\W+(?<id>\d+)"
| rex field=_raw max_match=0 "updatedAt\W+(?<updated>[^\"]+)"
| rex field=_raw max_match=0 "createdAt\W+(?<created>[^\"]+)"
| rex field=_raw max_match=0 "feature\W+(?<feature>[^\"]+)"
| rex field=_raw max_match=0 "enabled\W+(?<enabled>\w+)"

Those will all be multivalue fields - so you may need to mvzip and then mvexpand them out (reextracting afterwards) like this:

| eval an_event=mvzip(mvzip(mvzip(mvzip(id,updated,";"),created,";"),feature,";"),enabled,";")
| fields - id updated created feature enabled
| mvexpand an_event
| rex field=an_event "(?<id>[^;]+);(?<updated>[^;]+);(?<created>[^;]+);(?<feature>[^;]+);(?<enabled>.+)"

Answer 2

@warren's answer is a good one. Here's another method for extracting the fields.

``` Extract the JSON body ```
| rex "(?<json>\{\\\"featureToggles.*\})"
``` Parse the JSON ```
| spath input=json
``` Make the field name easier to manage ```
| rename featureToggles{}.* as *
| table id feature enabled

As @warren also said, you may need to use mvzip and mvexpand to break the fields into separate events.