topic Re: Finding data in Nested JSON in Splunk to create a splunk report in Reporting https://community.splunk.com/t5/Reporting/Finding-data-in-Nested-JSON-in-Splunk-to-create-a-splunk-report/m-p/549697#M9029 <P>What part of your example data contains the ID data you want to extract. That data does not look to be a valid JSON object, i.e. _raw seems to be containing a quoted nested JSON object.</P><P>Is it that Id: "&lt;&lt;&gt;&gt;" field? If so, then the simplest way to extract that is</P><LI-CODE lang="markup">| rex field=_raw "\"Id\":\"(?&lt;ID&gt;[^\"]*)"</LI-CODE><P>OR</P><LI-CODE lang="markup">| rex field=_raw "\"Id\":\"&lt;&lt;(?&lt;ID&gt;[^&gt;]*)"</LI-CODE><P>If you don't want the &lt;&lt;&gt;&gt; parts</P><P>&nbsp;</P> Wed, 28 Apr 2021 22:43:46 GMT bowesmana 2021-04-28T22:43:46Z Finding data in Nested JSON in Splunk to create a splunk report https://community.splunk.com/t5/Reporting/Finding-data-in-Nested-JSON-in-Splunk-to-create-a-splunk-report/m-p/549681#M9028 <P>I&nbsp;</P><P>need help in extracting<SPAN>&nbsp;</SPAN><STRONG>ID</STRONG><SPAN>&nbsp;</SPAN>from nested JSON data in Splunk for including this in report. Sample data:</P><P>{"preview":false,"result":{"_raw":"{"severity":"INFO","logger":"eu.notas.fns.###.utility.LoggingUtil","thread":"qtp1951963537-1006","message":{"###RequestId":"&lt;&lt;&gt;&gt;","msgDesc":"Image id Successfully ","fileName":null,"errorDesc":null,"requestType":"API","destination":"###_SERVICES","errorCode":null,"source":"EXTERNAL_issue-in","externalRequestId":"&lt;&lt;&gt;&gt;","responseCode":null,"Id":"&lt;&lt;&gt;&gt;","service":"notas-###-issue-in-data-service","stackTrace":null}}","_time":"2021-04-28T11:47:51.318+0200","host":"notas-###-issue-in-data-service-147-qthsj","index":"###_app_prod","linecount":"1","logger":"eu.notas.fns.###.utility.LoggingUtil","message.destination":"###_SERVICES","message.errorCode":"null","message.errorDesc":"null","message.externalRequestId":"&lt;&lt;&gt;&gt;","message.fileName":"null","message.Id":"&lt;&lt;&gt;&gt;","message.###RequestId":"&lt;&lt;&gt;&gt;","message.msgDesc":"Image id Successfully ","message.requestType":"API","message.responseCode":"null","message.service":"notas-###-issue-in-data-service","message.source":"EXTERNAL_issue-in","message.stackTrace":"null","punct":"{"":"","":".....","":"-","":{"":"----","":"_____",","severity":"INFO","source":"###","sourcetype":"###-prod-log","splunk_server":"no1-psplunkidx-14","thread":"qtp1951963537-1006","unix_category":"all_hosts","unix_group":"default"}}</P> Wed, 28 Apr 2021 19:06:41 GMT https://community.splunk.com/t5/Reporting/Finding-data-in-Nested-JSON-in-Splunk-to-create-a-splunk-report/m-p/549681#M9028 Denialsams 2021-04-28T19:06:41Z Re: Finding data in Nested JSON in Splunk to create a splunk report https://community.splunk.com/t5/Reporting/Finding-data-in-Nested-JSON-in-Splunk-to-create-a-splunk-report/m-p/549697#M9029 <P>What part of your example data contains the ID data you want to extract. That data does not look to be a valid JSON object, i.e. _raw seems to be containing a quoted nested JSON object.</P><P>Is it that Id: "&lt;&lt;&gt;&gt;" field? If so, then the simplest way to extract that is</P><LI-CODE lang="markup">| rex field=_raw "\"Id\":\"(?&lt;ID&gt;[^\"]*)"</LI-CODE><P>OR</P><LI-CODE lang="markup">| rex field=_raw "\"Id\":\"&lt;&lt;(?&lt;ID&gt;[^&gt;]*)"</LI-CODE><P>If you don't want the &lt;&lt;&gt;&gt; parts</P><P>&nbsp;</P> Wed, 28 Apr 2021 22:43:46 GMT https://community.splunk.com/t5/Reporting/Finding-data-in-Nested-JSON-in-Splunk-to-create-a-splunk-report/m-p/549697#M9029 bowesmana 2021-04-28T22:43:46Z