https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352155#M93404 <P>can you give me a complete search query?</P> <P>I am doing,<BR /> index=* | table date, site</P> Wed, 31 Jan 2018 20:46:10 GMT ppanchal 2018-01-31T20:46:10Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352153#M93402 <P>Hi, <BR /> I want to extract fields like date, site, etc from the below log (jason), how can I do this?</P> <P>[{"date":"2018-01-30","site":"S01027","routePublishCount":"17","routeCount":"97","customerCount":"931"},{"date":"2018-01-30","site":"S02923","routePublishCount":"16","routeCount":"119","customerCount":"1248"},{"date":"2018-01-30","site":"S03175","routePublishCount":"14","routeCount":"79","customerCount":"701"},{"date":"2018-01-30","site":"S03422","routePublishCount":"24","routeCount":"146","customerCount":"1486"}]</P> Wed, 31 Jan 2018 20:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352153#M93402 ppanchal 2018-01-31T20:19:26Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352154#M93403 <P>Splunk can do some automatic handling of Json. After your initial search command, try piping either<BR /> | spath<BR /> or <BR /> | extract pairdelim="{,}" kvdelim=":"</P> Wed, 31 Jan 2018 20:30:58 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352154#M93403 anthonymelita 2018-01-31T20:30:58Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352155#M93404 <P>can you give me a complete search query?</P> <P>I am doing,<BR /> index=* | table date, site</P> Wed, 31 Jan 2018 20:46:10 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352155#M93404 ppanchal 2018-01-31T20:46:10Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352156#M93405 <P>I didn't pay close attention to your example being a single event multivalue json, so not entirely sure this will work:</P> <P>index=* <BR /> | extract pairdelim="{,}" kvdelim=":"<BR /> | table date, site</P> <P>there are other commands for handling multivalue like <CODE>mvexpand</CODE> </P> Wed, 31 Jan 2018 22:17:23 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352156#M93405 anthonymelita 2018-01-31T22:17:23Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352157#M93406 <P>Not sure why but the above query is returning only single value from the jason. Please help.</P> <P>date site<BR /> 2018-01-30 S01027</P> Thu, 01 Feb 2018 00:20:18 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352157#M93406 ppanchal 2018-02-01T00:20:18Z https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352158#M93407 <P>hey try this run anywhere search</P> <PRE><CODE>| makeresults | eval _raw="[{\"date\":\"2018-01-30\",\"site\":\"S01027\",\"routePublishCount\":\"17\",\"routeCount\":\"97\",\"customerCount\":\"931\"},{\"date\":\"2018-01-30\",\"site\":\"S02923\",\"routePublishCount\":\"16\",\"routeCount\":\"119\",\"customerCount\":\"1248\"},{\"date\":\"2018-01-30\",\"site\":\"S03175\",\"routePublishCount\":\"14\",\"routeCount\":\"79\",\"customerCount\":\"701\"},{\"date\":\"2018-01-30\",\"site\":\"S03422\",\"routePublishCount\":\"24\",\"routeCount\":\"146\",\"customerCount\":\"1486\"}]" | spath | rename {}.* as * </CODE></PRE> <P>In your environment, you should try</P> <PRE><CODE>index=&lt;your_index&gt; | spath | rename {}.* as * | table date site </CODE></PRE> <P>let me know if this helps!</P> Thu, 01 Feb 2018 06:45:47 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-data-from-Jason/m-p/352158#M93407 mayurr98 2018-02-01T06:45:47Z