https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307521#M57909 <P>Hello everybody,</P> <P>I have the next event registered in my splunk:</P> <PRE><CODE>Fri Mar 31 11:05:18 COT 2017 name=amqp_msg_received event_id=null msg_queue=seguros.traza.documentoValidado msg_exchange=seguros.cuadre.documentoValidado msg_body={"valid": true} </CODE></PRE> <P>And what i need is to extract the value of "valid", the source_type of the event is <EM>json_no_timestamp</EM>, how could i do this?</P> <P>I have tried using spath without luck, any advice?</P> <P>Thanks.</P> Tue, 29 Sep 2020 13:30:10 GMT ivykp 2020-09-29T13:30:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307521#M57909 <P>Hello everybody,</P> <P>I have the next event registered in my splunk:</P> <PRE><CODE>Fri Mar 31 11:05:18 COT 2017 name=amqp_msg_received event_id=null msg_queue=seguros.traza.documentoValidado msg_exchange=seguros.cuadre.documentoValidado msg_body={"valid": true} </CODE></PRE> <P>And what i need is to extract the value of "valid", the source_type of the event is <EM>json_no_timestamp</EM>, how could i do this?</P> <P>I have tried using spath without luck, any advice?</P> <P>Thanks.</P> Tue, 29 Sep 2020 13:30:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307521#M57909 ivykp 2020-09-29T13:30:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307522#M57910 <P>Hi there mate, did you try something like this ?</P> <PRE><CODE>your search | spath input=msg_body </CODE></PRE> <P>Hope it helps.</P> Fri, 31 Mar 2017 17:07:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307522#M57910 alemarzu 2017-03-31T17:07:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307523#M57911 <P>Splunk must have extract field <CODE>msg_body</CODE> with some values as it's in classic kv format. What value do you get as part of msg_body field? Will the msg_body always going to contain "valid" or it may be something else?</P> Tue, 29 Sep 2020 13:30:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-fields-from-a-JSON/m-p/307523#M57911 somesoni2 2020-09-29T13:30:13Z