https://community.splunk.com/t5/Getting-Data-In/Trying-to-extract-fields-from-a-hybrid-log-Syslog-JSON-nested/m-p/751354#M119326 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/311023">@atme</a>,</P><P>It would be complex if you try to extract all of these fields at index time. The computational load would also increase. I would prefer going for search time extractions. However, if you still wish to extract fields at index time,&nbsp; it would be great if you can share what you've configured till now in props and transforms. Since the _raw event varies in number of fields also,&nbsp; we need to define a regex based pattern or key-value pair to extract the fields.</P><P>Thanks,<BR />Tejas.</P> Mon, 11 Aug 2025 11:19:00 GMT tej57 2025-08-11T11:19:00Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-extract-fields-from-a-hybrid-log-Syslog-JSON-nested/m-p/751019#M119279 <P>Trying to extract some data from a hybrid log where the log format is &lt;Syslog header&gt; &lt;JSON Data&gt;.</P><P>Have had success with extracting via spath and regex in search but want to do this before ingestions, so trying to complete this on a heavy forwarder by using&nbsp;<SPAN>&nbsp;props.conf and transforms.conf to complete the field extractions. Got this working to a degree but it only functions partly fuctions with some logs the the nested logs in msg are not full extracted and some logs don't extract anything for JSON.</SPAN></P><P>An example of one of many log types but all in this format&nbsp;&lt;Syslog header&gt; &lt;JSON Data&gt;</P><LI-CODE lang="markup">Aug 3 04:45:01 server.name.local program {"_program":{"uid":"0","type":"newData","subj":"unconfined","pid":"4864","msg":"ab=new:session_create creator=sam,sam,echo,ba_permit,ba_umask,ba_limits acct=\"su\" exe=\"/usr/sbin/vi\" hostname=? addr=? terminal=vi res=success","auid":"0","UID":"user1","AUID":"user1"}}</LI-CODE><P><SPAN>creator=sam<BR />stopping at first comma</SPAN></P><P><SPAN>acct=\<BR />exe=\<BR />Doesn't collect the data after \</SPAN></P><P><SPAN>And the following 2 logs had no field extractions from the json<BR /></SPAN></P><LI-CODE lang="markup">Aug 3 04:31:01 server.name.local program {"_program":{"uid":"0","type":"SYSCALL","tty":"pts1","syscall":"725","su":"0","passedsuccess":"yes","pass":"unconfined","id":"0","sess":"3417","pid":"4568732","msg":"utime(1754195461.112:457):","items":"2","gid":"0","fsuid":"0","fsgid":"0","exit":"3","exe":"/usr/bin/vi","euid":"0","egid":"0","comm":"vi","auid":"345742342","arch":"c000003e","a3":"1b6","a2":"241","a1":"615295291b60","a0":"ffffff9c","UID":"user1","SYSCALL":"openmat","SUID":"user1","SGID":"user1","GID":"user1","FSUID":"user1","FSGID":"user1","EUID":"user1","EGID":"user1","AUID":"user1","ARCH":"x86_64"}} Aug 3 04:10:01 server.name.local program {"_program":{"type":"data","data":"/usr/bin/vi","msg":"utime(1754194201.112:457):"}}</LI-CODE><P><SPAN>&nbsp;</SPAN></P><P>Thanks in advance for any help</P> Tue, 05 Aug 2025 00:19:10 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-extract-fields-from-a-hybrid-log-Syslog-JSON-nested/m-p/751019#M119279 atme 2025-08-05T00:19:10Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-extract-fields-from-a-hybrid-log-Syslog-JSON-nested/m-p/751354#M119326 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/311023">@atme</a>,</P><P>It would be complex if you try to extract all of these fields at index time. The computational load would also increase. I would prefer going for search time extractions. However, if you still wish to extract fields at index time,&nbsp; it would be great if you can share what you've configured till now in props and transforms. Since the _raw event varies in number of fields also,&nbsp; we need to define a regex based pattern or key-value pair to extract the fields.</P><P>Thanks,<BR />Tejas.</P> Mon, 11 Aug 2025 11:19:00 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-extract-fields-from-a-hybrid-log-Syslog-JSON-nested/m-p/751354#M119326 tej57 2025-08-11T11:19:00Z