https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424459#M174228 <P>I want to extract the following values from below JSON. Values needs to be extracted from the highlighted text in Bold.</P> <PRE><CODE>model-cps-kkru-qa2 , Data Reconciliation, Honeywell.PMT.UOP.CPS.UniSimTaskService.exe. {"message":[{"raw":"06/12/18 05:37:47 [19] INFO :: TenantId = model-cps-kkru-qa2 :: JobId = 85db2e7e-8b6a-4482-9d0f-40d7c48c7aa1 :: CalcType = Data Reconciliation :: UniSimInvokerServices.UniSimApplicationServices : UniSim Job Run completed successfully!","severityLevel":"Informational","className":"Honeywell.PMT.UOP.CPS.UniSimTaskService.UniSimEventProcessorHost+d__23","methodName":"MoveNext","lineNumber":389,"domain":"Honeywell.PMT.UOP.CPS.UniSimTaskService.exe","loggerName":"UTELogger","threadName":"19"}],"internal":{"data":{"id":"1d75acfe-f919-11e8-b912-eb327d060bc3","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-12-06T05:37:47.8836038Z","isSynthetic":false,"samplingRate":100.0},"cloud":{},"device":{"type":"PC","roleInstance":"usd-qa-wk2-eus","screenResolution":{}},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{**"TenantId":"model-cps-kkru-qa2"**},{"LoggerName":"UTELogger"},{**"CalcType":"Data Reconciliation"**},{"JobId":"85db2e7e-8b6a-4482-9d0f-40d7c48c7aa1"},{"MethodName":"MoveNext"},{"LineNumber":"389"},{**"Domain":"Honeywell.PMT.UOP.CPS.UniSimTaskService.exe"**},{"ThreadName":"19"},{"ClassName":"Honeywell.PMT.UOP.CPS.UniSimTaskService.UniSimEventProcessorHost+d__23"},{"FileName":"C:\\Users\\E542204\\Source\\Repos\\cps-unisim-taskexecutor\\Honeywell.PMT.UOP.CPS.UniSimTaskExecutor\\UniSimEventProcessorHost.cs"}]}}} </CODE></PRE> Thu, 06 Dec 2018 06:57:47 GMT abhishekgandhe 2018-12-06T06:57:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424459#M174228 <P>I want to extract the following values from below JSON. Values needs to be extracted from the highlighted text in Bold.</P> <PRE><CODE>model-cps-kkru-qa2 , Data Reconciliation, Honeywell.PMT.UOP.CPS.UniSimTaskService.exe. {"message":[{"raw":"06/12/18 05:37:47 [19] INFO :: TenantId = model-cps-kkru-qa2 :: JobId = 85db2e7e-8b6a-4482-9d0f-40d7c48c7aa1 :: CalcType = Data Reconciliation :: UniSimInvokerServices.UniSimApplicationServices : UniSim Job Run completed successfully!","severityLevel":"Informational","className":"Honeywell.PMT.UOP.CPS.UniSimTaskService.UniSimEventProcessorHost+d__23","methodName":"MoveNext","lineNumber":389,"domain":"Honeywell.PMT.UOP.CPS.UniSimTaskService.exe","loggerName":"UTELogger","threadName":"19"}],"internal":{"data":{"id":"1d75acfe-f919-11e8-b912-eb327d060bc3","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-12-06T05:37:47.8836038Z","isSynthetic":false,"samplingRate":100.0},"cloud":{},"device":{"type":"PC","roleInstance":"usd-qa-wk2-eus","screenResolution":{}},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{**"TenantId":"model-cps-kkru-qa2"**},{"LoggerName":"UTELogger"},{**"CalcType":"Data Reconciliation"**},{"JobId":"85db2e7e-8b6a-4482-9d0f-40d7c48c7aa1"},{"MethodName":"MoveNext"},{"LineNumber":"389"},{**"Domain":"Honeywell.PMT.UOP.CPS.UniSimTaskService.exe"**},{"ThreadName":"19"},{"ClassName":"Honeywell.PMT.UOP.CPS.UniSimTaskService.UniSimEventProcessorHost+d__23"},{"FileName":"C:\\Users\\E542204\\Source\\Repos\\cps-unisim-taskexecutor\\Honeywell.PMT.UOP.CPS.UniSimTaskExecutor\\UniSimEventProcessorHost.cs"}]}}} </CODE></PRE> Thu, 06 Dec 2018 06:57:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424459#M174228 abhishekgandhe 2018-12-06T06:57:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424460#M174229 <P>Hi,</P> <P>As this is full JSON event, you can index this data with below configuration on Universal Forwarder and splunk will automatically extract all fields present in JSON data.</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] INDEXED_EXTRACTIONS = JSON </CODE></PRE> <P>If you want to extract event at Search time you can use below query.</P> <PRE><CODE>&lt;yourBaseSearch&gt; | spath </CODE></PRE> <P>This will extract data in fields <CODE>context.custom.dimensions{}.TenantId</CODE>, <CODE>context.custom.dimensions{}.CalcType</CODE> and <CODE><BR /> context.custom.dimensions{}.Domain</CODE></P> Thu, 06 Dec 2018 13:50:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424460#M174229 harsmarvania57 2018-12-06T13:50:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424461#M174230 <P>If you want to get just those 3, you can do this inline:</P> <PRE><CODE>| eval TenantId=spath(json,"context.custom.dimensions.[TenantId]") | eval CalcType=spath(json,"context.custom.dimensions.[CalcType]") | eval Domain=spath(json,"context.custom.dimensions.[Domain]") </CODE></PRE> <P>Not 100% sure about the brackets though.</P> Thu, 06 Dec 2018 21:21:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-a-value-from-the-the-following-JSON/m-p/424461#M174230 jpolvino 2018-12-06T21:21:30Z