https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491646#M83992 <P>How to parse/index only json entry from raw data which are in non-uniform pattern?</P> Mon, 27 Jan 2020 07:10:11 GMT Boopalan 2020-01-27T07:10:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491646#M83992 <P>How to parse/index only json entry from raw data which are in non-uniform pattern?</P> Mon, 27 Jan 2020 07:10:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491646#M83992 Boopalan 2020-01-27T07:10:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491647#M83993 <P>From the below raw data only json need to be extracted/indexed in the splunk and should be viewed as json structured view while searching this logs on search head</P> <PRE><CODE>&lt;BOR&gt; ExSrc:Schwab.Client.Fx^ URL:null^ LogMsg:{"actor":{"Cust":null,"Acct":null,"Rep":null,"System":null},"header":{"AppId":null,"RecId":"null","Ver":"","StartTS":"null"},"source":{"Ip":"*","MacAddress":null,"SRCOS":"null","SRCRuntime":null,"SRCAppName":null,"SRCAppVersion":null,"SRCReqId":"null","CorrelationId":"null","SourceId":null,"Uri":"null"}}^ ExType:Common.Exceptions.ServiceCommunicationException^ &lt;EOR&gt; </CODE></PRE> Mon, 27 Jan 2020 07:17:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491647#M83993 Boopalan 2020-01-27T07:17:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491648#M83994 <PRE><CODE>| makeresults | eval _raw=" &lt;BOR&gt; ExSrc:Schwab.Client.Fx^ URL:null^ LogMsg:{\"actor\":{\"Cust\":null,\"Acct\":null,\"Rep\":null,\"System\":null},\"header\":{\"AppId\":null,\"RecId\":\"null\",\"Ver\":\"\",\"StartTS\":\"null\"},\"source\":{\"Ip\":\"*\",\"MacAddress\":null,\"SRCOS\":\"null\",\"SRCRuntime\":null,\"SRCAppName\":null,\"SRCAppVersion\":null,\"SRCReqId\":\"null\",\"CorrelationId\":\"null\",\"SourceId\":null,\"Uri\":\"null\"}}^ ExType:Common.Exceptions.ServiceCommunicationException^ &lt;EOR&gt;" | rex "(?&lt;json&gt;(?={).+})" | spath input=json | table actor* header* source* </CODE></PRE> <P>Extracting in search, like this.</P> Mon, 27 Jan 2020 07:47:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491648#M83994 to4kawa 2020-01-27T07:47:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491649#M83995 <P>Is there anyway to make this possible through configuration changes while parsing/indexing the log file itself</P> Mon, 27 Jan 2020 07:56:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491649#M83995 Boopalan 2020-01-27T07:56:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491650#M83996 <P>sorry, I can't. please ask others.<BR /> please tell me why do you want <CODE>while parsing/indexing the log file itself</CODE>?<BR /> Is <CODE>collect</CODE> bad? </P> Mon, 27 Jan 2020 10:20:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-index-only-json-entry-from-raw-data-which-are-in/m-p/491650#M83996 to4kawa 2020-01-27T10:20:30Z