https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-JSON-from-a-specific-field/m-p/414068#M73238 <P>I tried search in the community support section for something similar to my issue.</P> <P>I am trying to parse a specific field which is actually in JSON format. Is there a way to parse out anything within the message section. Below is a sample.</P> <P>Field name is errorMessage_Field and contains the info below:</P> <P>{"level":"error","schema":{"loadingURI":"#","pointer":"/definitions/blah"},"instance":{"pointer":"/blah"},"domain":"validation","keyword":"required","message":"object has missing required properties ([\"presosBlahID\"])","required":["presosBlahID"],"missing":["presosBlahID"]}</P> <P>Using the JSON entry above, im trying to show a table that just shows:<BR /> Count | Detailed Error Message <BR /> 3 | Object has missing required properties: presosBlahID</P> <P>I realize that using spath is the way to do it but i have not been successful.</P> <P>index=index_name sourcetype="sourcetype_name errorMessage_Field="errorMessage earliest=-15h<BR /> | bucket span=1m _time<BR /> | stats count by errorMessage_Field <BR /> | fields count errorMessage_Field<BR /> | rename count AS "Error Count" <BR /> | rename errorMessage_Field AS "Detailed Error Message"</P> <P>Any assistance is greatly appreciated. </P> <P>Thanks!</P> Tue, 29 Sep 2020 20:56:47 GMT joshimeister 2020-09-29T20:56:47Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-JSON-from-a-specific-field/m-p/414068#M73238 <P>I tried search in the community support section for something similar to my issue.</P> <P>I am trying to parse a specific field which is actually in JSON format. Is there a way to parse out anything within the message section. Below is a sample.</P> <P>Field name is errorMessage_Field and contains the info below:</P> <P>{"level":"error","schema":{"loadingURI":"#","pointer":"/definitions/blah"},"instance":{"pointer":"/blah"},"domain":"validation","keyword":"required","message":"object has missing required properties ([\"presosBlahID\"])","required":["presosBlahID"],"missing":["presosBlahID"]}</P> <P>Using the JSON entry above, im trying to show a table that just shows:<BR /> Count | Detailed Error Message <BR /> 3 | Object has missing required properties: presosBlahID</P> <P>I realize that using spath is the way to do it but i have not been successful.</P> <P>index=index_name sourcetype="sourcetype_name errorMessage_Field="errorMessage earliest=-15h<BR /> | bucket span=1m _time<BR /> | stats count by errorMessage_Field <BR /> | fields count errorMessage_Field<BR /> | rename count AS "Error Count" <BR /> | rename errorMessage_Field AS "Detailed Error Message"</P> <P>Any assistance is greatly appreciated. </P> <P>Thanks!</P> Tue, 29 Sep 2020 20:56:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-JSON-from-a-specific-field/m-p/414068#M73238 joshimeister 2020-09-29T20:56:47Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-JSON-from-a-specific-field/m-p/414069#M73239 <P>I've has some issues with JSON where most but not all of it gets parsed. For those I've written a regex and dropped it into <CODE>props.conf</CODE> for that particular sourcetype or source. </P> <P>in search to test before adding to .props:</P> <P>index=index_name sourcetype=sourcetype_name errorMessage_Field=errorMessage earliest=-15h<BR /> | bucket span=1m _time<BR /> | stats count AS "Error Count" by errorMessage_Field<BR /> | rex field=errorMessage_Field "regex here is getting messed up see below"<BR /> | eval "Detailed Error Message"=mvzip('message','detail')<BR /> | table "Error Count" "Detailed Error Message"</P> <P>\"message\":\"(?&lt; message&gt;[\w\s]+)\s(\ [\\"(?&lt; detail&gt;[^\]+)</P> <P><STRONG><EM>there is an artificial space added before "message", the 2nd "[", and "detail" since this editor kept trying to interpret/mess the regex up</EM></STRONG></P> Tue, 29 Sep 2020 20:56:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-JSON-from-a-specific-field/m-p/414069#M73239 marycordova 2020-09-29T20:56:53Z