topic Re: How to extract fields from JSON logs without extracting by key-value pair? in Splunk Search

How to extract fields from JSON logs without extracting by key-value pair?

jsuryaprakash — Fri, 16 Jun 2017 01:07:14 GMT

Hi Ninjas, I am trying to extract fields from json logs but i have time stamp and some text data in front of array so i can't extract by using key value pair. Can anyone help me?

Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE {"addresses": {"local_ipv4": "99.9.9.999", "public_ipv4": "00.000.111.222"}, "cpu_info": {"idle": 00.1}, "date": "2017-06-12 23:59:01.291710", "disk_space": {"disk": "/dev/xvda1", "free": "54781", "pct_used": "6", "total": "60337"}, "host_type": "test", "hostname": "AM1-JJ-Arod-1", "memory_stats": {"available": 3483, "cached": 1747, "free": 1512, "percent": 7.3, "total": 3759, "used": "2247"}

Re: How to extract fields from JSON logs without extracting by key-value pair?

jsuryaprakash — Fri, 16 Jun 2017 01:10:56 GMT

I want to filter "Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE " out so that i can extract all fields in key value pair.
May I know the exact way how I can do it?

Re: How to extract fields from JSON logs without extracting by key-value pair?

woodcock — Fri, 16 Jun 2017 01:49:45 GMT

You need the spath command:

http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Spath

Re: How to extract fields from JSON logs without extracting by key-value pair?

ekcsoc — Mon, 13 Apr 2020 08:26:44 GMT

what if the field is mix of json and some other type. is it possible to parse the field at index time or search time without using spath ?

my dates is some what like this:

ssoId:023serwerwef32, RBA Request :

key=value&key=value&&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value

,RBA Response :

{"key":value","key":value","key":value","key":value","key":value","key":value","key":value","key":value".........}