topic Re: Extract fields from json attributes in Splunk Search

How to extract fields from json attributes?

sergimola — Tue, 21 Feb 2023 18:27:42 GMT

I am sending some traces from my service to Splunk using the OpenTelemetry Collector and the Splunk HEC exporter.

My traces are getting to Splunk and their fields in general properly identified, but I would like for the attributes of an event that have a json format to be further decomposed into fields.

This is an example of an event:

I would like for the `attributes.data` field to be further decomposed.

Is that possible?

Re: Extract fields from json attributes

ITWhisperer — Tue, 21 Feb 2023 13:27:25 GMT

You can use spath in your search SPL to extract fields from JSON data.

Re: Extract fields from json attributes

richgalloway — Tue, 21 Feb 2023 13:27:26 GMT

Use the spath command in your search query to extract fields from JSON events.

Re: Extract fields from json attributes

sergimola — Tue, 21 Feb 2023 14:11:46 GMT

I've looked into `spath`, but I think there's something else on top of that.

It works for the event itself wich is a json event, but onf the the properties inside this json event is also a json structure.

Using this works fine:

| spath output=data path=attributes.data

But if I want to create a field out of the `Number` property in `attributes.data` that doesn't work

| spath output=data_number path=attributes.data.Number

Re: Extract fields from json attributes

ITWhisperer — Tue, 21 Feb 2023 15:33:14 GMT

| spath output=data path=attributes.data | spath input=data

Re: Extract fields from json attributes

sergimola — Tue, 21 Feb 2023 20:43:26 GMT

Oh, nice, this works!

Thanks.