https://community.splunk.com/t5/Getting-Data-In/JSON-Syslog-and-SPATH/m-p/22372#M3422 <P>Hi,</P> <P>I have JSON data being indexed from a syslog file i.e</P> <PRE><CODE>Nov 2 23:04:47 host1 /usr/local/bin/audit.rb[24503]: { "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=&gt;true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" } </CODE></PRE> <P>The problem is I cannot use spath to extract fields, i.e</P> <PRE><CODE> | spath output=action path=@fields.action </CODE></PRE> <P>If I remove the syslog section and only index the JSON data then it works without problems, i.e if the data is just.</P> <PRE><CODE>{ "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=&gt;true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" } </CODE></PRE> <P>Is this normal behaviour, is there a way around it whilst still being able to use the spath function?</P> <P>Thanks.</P> Fri, 02 Nov 2012 23:12:57 GMT matthewparry 2012-11-02T23:12:57Z https://community.splunk.com/t5/Getting-Data-In/JSON-Syslog-and-SPATH/m-p/22372#M3422 <P>Hi,</P> <P>I have JSON data being indexed from a syslog file i.e</P> <PRE><CODE>Nov 2 23:04:47 host1 /usr/local/bin/audit.rb[24503]: { "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=&gt;true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" } </CODE></PRE> <P>The problem is I cannot use spath to extract fields, i.e</P> <PRE><CODE> | spath output=action path=@fields.action </CODE></PRE> <P>If I remove the syslog section and only index the JSON data then it works without problems, i.e if the data is just.</P> <PRE><CODE>{ "@fields" : { "action" : "check", "agent" : "server", "caller" : "user", "callerhost" : "system", "data" : "{:process_results=&gt;true}", "request_time" : 1351746758, "uniqid" : "73670e799fbf576b9225278cc46709c0" }, "@message" : "message", "@source" : "audit", "@source_host" : "host", "@tags" : [ ], "@timestamp" : "2012-11-01T05:12:38.169418Z", "@type" : "audit" } </CODE></PRE> <P>Is this normal behaviour, is there a way around it whilst still being able to use the spath function?</P> <P>Thanks.</P> Fri, 02 Nov 2012 23:12:57 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-Syslog-and-SPATH/m-p/22372#M3422 matthewparry 2012-11-02T23:12:57Z https://community.splunk.com/t5/Getting-Data-In/JSON-Syslog-and-SPATH/m-p/22373#M3423 <P>this is normal. spath operates on either XML or JSON, and with the extra info, your data is not JSON. You can simply use eval prior to using spath to strip out the syslog info prior to piping to spath.</P> Mon, 05 Nov 2012 03:35:29 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-Syslog-and-SPATH/m-p/22373#M3423 gkanapathy 2012-11-05T03:35:29Z