<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to extract Fields custom JSON File in Splunk in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-Fields-custom-JSON-File-in-Splunk/m-p/292370#M55698</link>
    <description>&lt;P&gt;I have custom JSON File on Splunk but SPATH command is not able to extract the fields from the data. Can any one suggest me what would be the best way to extract fields from the below JSON Data&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;{"log":"| loglevel=\"INFO\" | hostname=\"import-1-4-3-2053088235-873gq\" | transactionId=\"a0991eed-46bd-49df-9545-87deae988b6c\" | serviceName=\"import\" | version=\"1.4.3\" | thread=\"https-jsse-nio-8443-exec-12\" | logger=\"c.a.e.s.l.d.s.impl.ScheduleServiceImpl \" | message=\"Get Schedule BOC\" | status=\"GET_SCHEDULE_BOC\" | code=\"00139\" | uri=\"https://layer-1-0-2.schedule-schedule/scheduleLayer/search?version=1\u0026envContext=PROD\u0026routeOffer=BLUE\" | request=\"{\"details.type\":\"signalpath\",\"details.boc\":\"0306\"}\" \n","stream":"stdout","time":"2017-05-13T16:50:41.377682354Z"}
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In Splunk the data appears formatted in JSON, but not all the fields appear as JSON formatted and thus i feel SPATH command is not working. I am able to extract the above content in a field named as Log, but the internal fields which are separated by "|". The below is the screenshot how the data appears in Splunk. Can anyone help me in extracting the fields automatically?&lt;/P&gt;

&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/2927i2BE756C146CBA8D2/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Sat, 13 May 2017 17:38:35 GMT</pubDate>
    <dc:creator>ashish9433</dc:creator>
    <dc:date>2017-05-13T17:38:35Z</dc:date>
    <item>
      <title>How to extract Fields custom JSON File in Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-Fields-custom-JSON-File-in-Splunk/m-p/292370#M55698</link>
      <description>&lt;P&gt;I have custom JSON File on Splunk but SPATH command is not able to extract the fields from the data. Can any one suggest me what would be the best way to extract fields from the below JSON Data&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;{"log":"| loglevel=\"INFO\" | hostname=\"import-1-4-3-2053088235-873gq\" | transactionId=\"a0991eed-46bd-49df-9545-87deae988b6c\" | serviceName=\"import\" | version=\"1.4.3\" | thread=\"https-jsse-nio-8443-exec-12\" | logger=\"c.a.e.s.l.d.s.impl.ScheduleServiceImpl \" | message=\"Get Schedule BOC\" | status=\"GET_SCHEDULE_BOC\" | code=\"00139\" | uri=\"https://layer-1-0-2.schedule-schedule/scheduleLayer/search?version=1\u0026envContext=PROD\u0026routeOffer=BLUE\" | request=\"{\"details.type\":\"signalpath\",\"details.boc\":\"0306\"}\" \n","stream":"stdout","time":"2017-05-13T16:50:41.377682354Z"}
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In Splunk the data appears formatted in JSON, but not all the fields appear as JSON formatted and thus i feel SPATH command is not working. I am able to extract the above content in a field named as Log, but the internal fields which are separated by "|". The below is the screenshot how the data appears in Splunk. Can anyone help me in extracting the fields automatically?&lt;/P&gt;

&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/2927i2BE756C146CBA8D2/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 13 May 2017 17:38:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-Fields-custom-JSON-File-in-Splunk/m-p/292370#M55698</guid>
      <dc:creator>ashish9433</dc:creator>
      <dc:date>2017-05-13T17:38:35Z</dc:date>
    </item>
    <item>
      <title>Re: How to extract Fields custom JSON File in Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-Fields-custom-JSON-File-in-Splunk/m-p/292371#M55699</link>
      <description>&lt;P&gt;So on your already extracted spath (the screenshot output)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;.. | rex field=log "(\w+)=([^\s]+)"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will split the rest of fields present within &lt;CODE&gt;log&lt;/CODE&gt; to key-value pairs&lt;BR /&gt;
Example in regex101: &lt;A href="https://regex101.com/r/4Y0aJG/1"&gt;https://regex101.com/r/4Y0aJG/1&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 14 May 2017 06:50:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-extract-Fields-custom-JSON-File-in-Splunk/m-p/292371#M55699</guid>
      <dc:creator>koshyk</dc:creator>
      <dc:date>2017-05-14T06:50:26Z</dc:date>
    </item>
  </channel>
</rss>

