https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424949#M121846 <P>You can also use the below mentioned regex, there are two regex, one captures everything after msg and other captures only till email, try this and let me know if it works for you.</P> <P>yourBaseQuery<BR /> |rex "\msg:\s+(?.*)"<BR /> | complete your search</P> <P>yourBaseQuery<BR /> | rex \msg:\s+(?\w+-\w+-\w+:\w+:\w+.\w+\s+\w+)<BR /> | complete your search</P> Tue, 10 Jul 2018 10:26:03 GMT manish_singh_77 2018-07-10T10:26:03Z https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424947#M121844 <P>trying to extract the msg field from an azure blob which uses the _json sourcetype - the msg : field shows as one long field - how to extract this please ?</P> <P><CODE>msg: 2018-07-10T06:53:42.803Z email|5b3c37d::Rules::ValidateUser:: ::BEGIN-RULE::<BR /> Validate - user {"_id":"25fd57973c","email":"blah@hotmail.com","email_verified":true,"clientID":"8NReZXmds4","updated_at":"2018-07-10T06:53:42.764Z","name":"blah@hotmail.com","picture":"https://web.png","user_id":"email|5b3c37dd","nickname":"nickname","identities":[{"user_id":"5b3c3","provider":"email","connection":"email","isSocial":false}],"created_at":"2018-07-04T02:58:55.014Z","user_metadata":{"firstname":"bob","lastname":"bob","name":"bob bob"},"global_client_id":"rEJsAkwGVI","app_metadata":{"client_info":{"MyAccount":{"first_login_time":"2018-07-04T02:58:55.422Z","count":7,"last_login_time":"2018-07-10T06:49:40.126Z","user_id":"a0uid_xxxxx"}}},"client_info":{"MyAccount":{"first_login_time":"2018-07-04T02:58:55.422Z","count":7,"last_login_time":"2018-07-10T06:49:40.126Z","user_id":"a0uid_46"}},"persistent":{}}</CODE> </P> <P>thanks</P> <P>*** UPDATE *** </P> <P>So i've made some progress where i can create a new_msg field stripping off the non-json part of the msg field : </P> <P><CODE>2018-07-10T06:53:42.803Z email|5b3c37d::Rules::ValidateUser:: ::BEGIN-RULE::Validate - user</CODE></P> <P>and then that allows me to run spath on the new_msg</P> <P><CODE>| rex field=msg "^[^{]+(?&lt;new_msg&gt;.*)" | spath input=new_msg</CODE></P> <P>now my field count has gone from ~50 to 500+ </P> <P>Is there a better way ?</P> Tue, 10 Jul 2018 07:41:15 GMT https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424947#M121844 Esky73 2018-07-10T07:41:15Z https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424948#M121845 <P>Pls try this in your search and let me know..</P> <P>extract pairdelim=",", kvdelim='":"'</P> Tue, 10 Jul 2018 09:56:11 GMT https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424948#M121845 manish_singh_77 2018-07-10T09:56:11Z https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424949#M121846 <P>You can also use the below mentioned regex, there are two regex, one captures everything after msg and other captures only till email, try this and let me know if it works for you.</P> <P>yourBaseQuery<BR /> |rex "\msg:\s+(?.*)"<BR /> | complete your search</P> <P>yourBaseQuery<BR /> | rex \msg:\s+(?\w+-\w+-\w+:\w+:\w+.\w+\s+\w+)<BR /> | complete your search</P> Tue, 10 Jul 2018 10:26:03 GMT https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424949#M121846 manish_singh_77 2018-07-10T10:26:03Z https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424950#M121847 <P>both of these errored with Regex: unrecognized character follows \</P> <P>I have updated my progress above. TY</P> Tue, 10 Jul 2018 12:55:00 GMT https://community.splunk.com/t5/Splunk-Search/extract-message-field-from-JSON/m-p/424950#M121847 Esky73 2018-07-10T12:55:00Z