topic Re: Extract Json Fields in Splunk Search

Extract Json Fields

srikanthr123 — Tue, 23 Jun 2020 08:02:14 GMT

We want to extract Json key&Value pairs, but source is prefixing the text before Json data.
Please let us know the search string to extract json fields.

*************************************
2020-06-22 23:52:40,895 INFO [Timer-Driven Process Thread-10] o.a.nifi.processors.standard.LogMessage LogMessage[id=2202601e] TEST{
"domain": "ABC",
"module": "TEST",
"EventID" : "1233"
}

Re: Extract Json Fields

to4kawa — Tue, 23 Jun 2020 08:32:59 GMT

try rex and spath input=rex_field

Re: Extract Json Fields

srikanthr123 — Tue, 23 Jun 2020 08:57:34 GMT

can you please share the rex command to extract the fields

Re: Extract Json Fields

srikanthr123 — Tue, 23 Jun 2020 10:09:00 GMT

I tried something like this but it is not working. can you please share the correct string

rex field=_raw "eventId=\"(?<eventId>.*)\"" | spath output=OpName path="eventId"

Re: Extract Json Fields

to4kawa — Tue, 23 Jun 2020 10:12:44 GMT

| makeresults | eval _raw="2020-06-22 23:52:40,895 INFO [Timer-Driven Process Thread-10] o.a.nifi.processors.standard.LogMessage LogMessage[id=2202601e] TEST{ \"domain\": \"ABC\", \"module\": \"TEST\", \"EventID\" : \"1233\" }" | rex "(?ms)(?<json>{.*})" | spath input=json

Is there a reason why you don't do as I said?