topic How to parse JSON like-data with extracted server name as a column? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-parse-JSON-like-data-with-extracted-server-name-as-a/m-p/646685#M223836 <P>Howdy</P> <P>&nbsp;</P> <P>We've got this data:</P> <P>&nbsp;</P> <P>Each log line is like:</P> <P>{"serverX.somedom.com" : {"key.value.pair1": "0",&nbsp;"key.value.pair2": "1",&nbsp;"key.value.pair3": "2" }}</P> <P>How can I access any of&nbsp; key value pairs I want and&nbsp; use the&nbsp;serverX.somedom.com&nbsp; as well?</P> <P>&nbsp;</P> <P>To produce something like:</P> <P>&nbsp;</P> <P>|Server|key.value.pair1|key.value.pair2|Time|</P> <P>|serverX.somedom.com|0|1|"time"</P> <P>&nbsp;</P> <P>I've looked for lots of JSON and/or spath commands/post but I'm needing some more knowledge here..</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 13 Jun 2023 13:17:08 GMT modulussplunk 2023-06-13T13:17:08Z How to parse JSON like-data with extracted server name as a column? https://community.splunk.com/t5/Splunk-Search/How-to-parse-JSON-like-data-with-extracted-server-name-as-a/m-p/646685#M223836 <P>Howdy</P> <P>&nbsp;</P> <P>We've got this data:</P> <P>&nbsp;</P> <P>Each log line is like:</P> <P>{"serverX.somedom.com" : {"key.value.pair1": "0",&nbsp;"key.value.pair2": "1",&nbsp;"key.value.pair3": "2" }}</P> <P>How can I access any of&nbsp; key value pairs I want and&nbsp; use the&nbsp;serverX.somedom.com&nbsp; as well?</P> <P>&nbsp;</P> <P>To produce something like:</P> <P>&nbsp;</P> <P>|Server|key.value.pair1|key.value.pair2|Time|</P> <P>|serverX.somedom.com|0|1|"time"</P> <P>&nbsp;</P> <P>I've looked for lots of JSON and/or spath commands/post but I'm needing some more knowledge here..</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 13 Jun 2023 13:17:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-JSON-like-data-with-extracted-server-name-as-a/m-p/646685#M223836 modulussplunk 2023-06-13T13:17:08Z Re: Parsing JSON like-data with extracted server name as a column? https://community.splunk.com/t5/Splunk-Search/How-to-parse-JSON-like-data-with-extracted-server-name-as-a/m-p/646686#M223837 <P>BTW, I could 'hack' this by using split and mvindex but that seems very hackish...like grep/sed/awk...I am trying to actually understand how to to this 'properly.</P> Mon, 12 Jun 2023 15:56:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-JSON-like-data-with-extracted-server-name-as-a/m-p/646686#M223837 modulussplunk 2023-06-12T15:56:12Z