https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380289#M6469 <P>Hello @ips_mandar,</P> <P>Your sample event does not consist of strict JSON data because of the non-JSON prefix and suffix.</P> <P>I suggest you extract the JSON data as a new field and then run spath on this field:</P> <PRE><CODE>yourbasesearch | rex field=_raw "(?&lt;json_data&gt;\{.+\})" | spath input=json_data </CODE></PRE> <P>The regex above is defined very broadly. Your sample event is full of strange symbols. So you might want to improve the regular expression.</P> <P>Ideally, you would index pure JSON data in Splunk and set the sourcetype to json. This way, the JSON data gets parsed automatically.</P> Mon, 24 Dec 2018 10:32:35 GMT whrg 2018-12-24T10:32:35Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380288#M6468 <P>Hi,</P> <P>I want to parse below json data .Below is one sample event-<BR /> Obj&#1;&#4;&#20;abco.codec&#8;null&#22;avro.schema�&#6;{"type":"record","name":"Eventtable","namespace":"abc.cdf.ghi","fields":[{"name":"SequenceNumber","type":"long"},{"name":"Offset","type":"string"},{"name":"EnqueuedTimeUtc","type":"string"},{"name":"SystemProperties","type":{"type":"map","values":["long","double","string","bytes"]}},{"name":"Properties","type":{"type":"map","values":["long","double","string","bytes","null"]}},{"name":"Body","type":["null","bytes"]}]}O��&#7;��&#14;D��&#21;�=XTPO��&#7;��&#14;D��&#21;�=XTP</P> <P>I tried <CODE>spath</CODE> but unable to get success. Can anyone help me to parse this json data</P> Mon, 24 Dec 2018 09:30:55 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380288#M6468 ips_mandar 2018-12-24T09:30:55Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380289#M6469 <P>Hello @ips_mandar,</P> <P>Your sample event does not consist of strict JSON data because of the non-JSON prefix and suffix.</P> <P>I suggest you extract the JSON data as a new field and then run spath on this field:</P> <PRE><CODE>yourbasesearch | rex field=_raw "(?&lt;json_data&gt;\{.+\})" | spath input=json_data </CODE></PRE> <P>The regex above is defined very broadly. Your sample event is full of strange symbols. So you might want to improve the regular expression.</P> <P>Ideally, you would index pure JSON data in Splunk and set the sourcetype to json. This way, the JSON data gets parsed automatically.</P> Mon, 24 Dec 2018 10:32:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380289#M6469 whrg 2018-12-24T10:32:35Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380290#M6470 <P>thanks @whrg<BR /> it is working at search time..<BR /> also to work at indextime if I remove all strange symbols before and after json data then simple spath command also might work.<BR /> Can you please help me to remove all strange symbols before indexing so it can parse the json data at indextime</P> Mon, 24 Dec 2018 11:16:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380290#M6470 ips_mandar 2018-12-24T11:16:03Z https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380291#M6471 <P>Perhaps you could modify the script which produces the log files. Modify the script that it only produces pure JSON without these headers and footers.</P> <P>If that's not feasible, check out this thread: <A href="https://answers.splunk.com/answers/637492/remove-first-part-of-string-before-creating-a-json.html">Remove first part of string before creating a JSON source type</A>.</P> <P>So I would suggest you put something like this in your props.conf:</P> <PRE><CODE>[source::/your/logfile] SEDCMD-remove_header = s/^.*?\{/{/1 </CODE></PRE> Tue, 25 Dec 2018 10:53:02 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-do-you-parse-the-following-JSON-data/m-p/380291#M6471 whrg 2018-12-25T10:53:02Z