topic Re: Parse JSON string with different structures in Splunk Search

Parse JSON string with different structures

ashodha — Fri, 15 Jan 2021 20:40:08 GMT

We have Multiple apps that generate logs and there format is little different .

Splunk currently just shows that field as just a string ex:

{

id:1,

log: " {k1:v1,K2:v2}"

}

The K1 and K2 are not searchable.

log can have different format messages but we want all of them to be searchable.

Thanks

Re: Parse JSON string with different structures

scelikok — Fri, 15 Jan 2021 20:44:41 GMT

Hi @ashodha,

I think you see the "log" field, you can use spath like below;

| spath input=log | search k1="v1" K2="v2"

If this reply helps you an upvote is appreciated.

Re: Parse JSON string with different structures

to4kawa — Fri, 15 Jan 2021 21:38:28 GMT

index=_internal | head 1 | fields _raw | eval _raw="{\"id\":1,\"log\":\"\\\"{k1:v1,K2:v2}\\\"\"}" | eval data=_raw | rename COMMENT as "this is sample" | spath input=data | rex field=log mode=sed "s/(?<key>\w+):\s*(?<value>\w+)/\"\1\":\"\2\"/g s/\"(.*)\"/\1/" | spath input=log | search k1="v1"

It might be a little annoying.