topic Re: How to extract Json field having key value pairs delimited by pipe character? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-field-having-key-value-pairs-delimited-by/m-p/658065#M227307 <P>I assume that Splunk already gives you msg as a field. &nbsp;You can then use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract" target="_blank" rel="noopener">extract</A> on it.</P><LI-CODE lang="markup">index=wf_pvsi_other wf_id=swbs wf_env=prod sourcetype="wf:swbs:profiling:txt" | rename msg as _raw | extract | search AppBody=SOR_RESP DestId=EIW | table SrcApp, SubApp, RefMsgNm, DestId, MsgNm | fillnull value=NA SubApp | top SrcApp, SubApp, RefMsgNm, DestId, MsgNm limit=100 | rename SrcApp as Channel, SubApp as "Sub Application", RefMsgNm as Message, DestId as SOR, MsgNm as "SOR Message" | fields Channel, "Sub Application", Message,SOR,"SOR Message",count | sort Channel,"Sub Application", Message,SOR, "SOR Message", count</LI-CODE><P>(As your new source is JSON, overriding _raw should be fine.) &nbsp;Hope this helps.</P> Wed, 20 Sep 2023 00:23:07 GMT yuanliu 2023-09-20T00:23:07Z How to extract Json field having key value pairs delimited by pipe character? https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-field-having-key-value-pairs-delimited-by/m-p/657682#M227154 <P>I had data like this in Splunk.</P><P><SPAN class="">DT=2023-09-13T23:59:56.029-0500</SPAN><SPAN>|</SPAN><SPAN class="">LogId=WFTxLog</SPAN><SPAN>|</SPAN><SPAN class="">AppId=SWBS</SPAN><SPAN>|</SPAN><SPAN class="">AppInst=server1:/apps/comp/swbs/instances/99912</SPAN><SPAN>|</SPAN><SPAN class="">TId=executorWithCallerRunsPolicy-30</SPAN><SPAN>|</SPAN><SPAN class="">ProcId=dc47cf25-2318-4f61-bd33-10f8928916ce</SPAN><SPAN>|</SPAN><SPAN class="">RefMsgNm=creditDecisionInformation2011_02</SPAN><SPAN>|</SPAN><SPAN class="">MsgId=fc1935b6-06c0-42bb-89d1-caf1076fff68</SPAN><SPAN>|</SPAN><SPAN class="">SrcApp=XX</SPAN><SPAN>|</SPAN><SPAN class="">ViewPrefs=CUSTOMER_202108-customerDetailIndicator</SPAN><SPAN>,</SPAN><SPAN class="">customerRelationshipDailyUpdateIndicator</SPAN><SPAN>,</SPAN><SPAN class="">customerRelationshipMonthlyUpdateIndicator</SPAN><SPAN>,</SPAN><SPAN class="">customerRelationshipSummaryIndicator</SPAN><SPAN>,</SPAN><SPAN class="">customerRiskSummaryIndicator~ACCOUNT_201505-accountOverLimitIndicator</SPAN><SPAN>,</SPAN><SPAN class="">creditChargeoffIndicator</SPAN><SPAN>,</SPAN><SPAN class="">creditDelinquencyIndicator</SPAN><SPAN>,</SPAN><SPAN class="">creditLineDecreaseIndicator</SPAN><SPAN>,</SPAN><SPAN class="">creditLineRestrictionIndicator</SPAN><SPAN>,</SPAN><SPAN class="">creditProductNSFIndicator</SPAN><SPAN>,</SPAN><SPAN class="">depositClosedForCauseIndicator</SPAN><SPAN>,</SPAN><SPAN class="">depositHardHoldIndicator</SPAN><SPAN>,</SPAN><SPAN class="">forcedClosedIndicator</SPAN><SPAN>,</SPAN><SPAN class="">nonExpansionQueueIndicator</SPAN><SPAN>,</SPAN><SPAN class="">outOfBoundIndicator</SPAN><SPAN>,</SPAN><SPAN class="">overdraftOnDepositIndicator</SPAN><SPAN>,</SPAN><SPAN class="">returnedDepositItemsIndicator</SPAN><SPAN>,</SPAN><SPAN class="">disasterReliefIndicator~APPLICANT_201111-applicationDetailIndicator</SPAN><SPAN>,</SPAN><SPAN class="">incomeDetailIndicator~MULTIPLE_ACCOUNT_CUSTOMER-riskRecommendationIndicator~CUSTOMER_CLI_201705-customerCLIDataIndicator</SPAN><SPAN>|</SPAN><SPAN class="">TxAct=Response</SPAN> <SPAN class="">Received</SPAN><SPAN>|</SPAN><SPAN class="">DestId=EIW</SPAN><SPAN>|</SPAN><SPAN class="">MsgNm=customerRltnshipMonthlySummaryTaxId</SPAN><SPAN>|</SPAN><SPAN class="">Elapsed=199</SPAN><SPAN>|</SPAN><SPAN class="">AppBody=SOR_RESP|</SPAN></P><P>I had a query like this.</P><P>index=wf_pvsi_other wf_id=swbs wf_env=prod sourcetype="wf:swbs:profiling:txt" AppBody=SOR_RESP DestId=EIW | table SrcApp, SubApp, RefMsgNm, DestId, MsgNm | fillnull value=NA SubApp | top SrcApp, SubApp, RefMsgNm, DestId, MsgNm limit=100 | rename SrcApp as Channel, SubApp as "Sub Application", RefMsgNm as Message, DestId as SOR, MsgNm as "SOR Message" | fields Channel, "Sub Application", Message,SOR,"SOR Message",count | sort Channel,"Sub Application", Message,SOR, "SOR Message", count</P><P>Now, my app moved to cloud and the log data is embedded within JSON and event show up in Splunk like this. Application specific log data is present as a value of JSON field "msg".</P><P><SPAN>{"</SPAN><SPAN class="">cf_app_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">75390614-95dc-474e-ad63-2358769b0641</SPAN><SPAN>","</SPAN><SPAN class="">cf_app_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">CA00000-app-uat</SPAN><SPAN>","</SPAN><SPAN class="">cf_org_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">7cc80b1c-0453-4487-ba19-4e3ffc868cf3</SPAN><SPAN>","</SPAN><SPAN class="">cf_org_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">CA00000-test</SPAN><SPAN>","</SPAN><SPAN class="">cf_space_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">dd35773f-63cb-4ed3-8199-2ae2ff1331f8</SPAN><SPAN>","</SPAN><SPAN class="">cf_space_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">uat</SPAN><SPAN>","</SPAN><SPAN class="">deployment</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">cf-ab9ba4f5a0f082dfc130</SPAN><SPAN>","</SPAN><SPAN class="">event_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">LogMessage</SPAN><SPAN>","</SPAN><SPAN class="">ip</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"0</SPAN><SPAN class="">0.00.000.00</SPAN><SPAN>","</SPAN><SPAN class="">job</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">diego_cell</SPAN><SPAN>","</SPAN><SPAN class="">job_index</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">77731dca-f4e8-4079-a97d-b65f20911c53</SPAN><SPAN>","</SPAN><SPAN class="">message_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">OUT</SPAN><SPAN>","</SPAN><SPAN class="">msg</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><STRONG><SPAN class=""><SPAN class="">DT=2023-09-14T21:41</SPAN>:52.638-0500</SPAN>|<SPAN class="">LogId=WFTxLog</SPAN>|<SPAN class="">AppId=SWBS</SPAN>|<SPAN class="">AppInst=ff664658-a378-42f4-4a4d-2330:/home/vcap/app</SPAN>|<SPAN class="">TId=executorWithCallerRunsPolicy-7</SPAN>|<SPAN class="">ProcId=92d42ef2-7940-48e8-b4df-1f92790b657e</SPAN>|<SPAN class="">RefMsgNm=creditDecisionInformation2011_02</SPAN>|<SPAN class="">MsgId=8f5a46f8-7288-442f-9f56-ecaa05b345af</SPAN>|<SPAN class="">SrcApp=XX</SPAN>|<SPAN class="">ViewPrefs=CUSTOMER_201605-customerDetailIndicator</SPAN>,<SPAN class="">customerRiskSummaryIndicator~ACCOUNT_201505-accountOverLimitIndicator</SPAN>,<SPAN class="">creditChargeoffIndicator</SPAN>,<SPAN class="">creditDelinquencyIndicator</SPAN>,<SPAN class="">creditLineDecreaseIndicator</SPAN>,<SPAN class="">creditLineRestrictionIndicator</SPAN>,<SPAN class="">creditProductNSFIndicator</SPAN>,<SPAN class="">depositClosedForCauseIndicator</SPAN>,<SPAN class="">depositHardHoldIndicator</SPAN>,<SPAN class="">forcedClosedIndicator</SPAN>,<SPAN class="">foreclosureIndicator</SPAN>,<SPAN class="">loanModifcationPrgrmIndicator</SPAN>,<SPAN class="">nonExpansionQueueIndicator</SPAN>,<SPAN class="">outOfBoundIndicator</SPAN>,<SPAN class="">overdraftOnDepositIndicator</SPAN>,<SPAN class="">returnedDepositItemsIndicator</SPAN>,<SPAN class="">SSDILPrgrmIndicator</SPAN>|<SPAN class="">TxAct=Response</SPAN> <SPAN class="">Received</SPAN>|<SPAN class=""><SPAN class="">DestId=EIW</SPAN></SPAN>|<SPAN class="">MsgNm=customerRiskSummaryTaxId</SPAN>|<SPAN class="">Elapsed=259</SPAN>|<SPAN class=""><SPAN class="">AppBody=SOR_RESP</SPAN></SPAN></STRONG><SPAN><STRONG>|</STRONG>","</SPAN><SPAN class="">origin</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">rep</SPAN><SPAN>","</SPAN><SPAN class="">source_instance</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">0</SPAN><SPAN>","</SPAN><SPAN class="">source_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">APP/PROC/WEB</SPAN><SPAN>","</SPAN><SPAN class="">tags</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">instance_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">0</SPAN><SPAN>","</SPAN><SPAN class="">process_instance_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">ff664658-a378-42f4-4a4d-2330</SPAN><SPAN>","</SPAN><SPAN class="">space_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">dd35773f-63cb-4ed3-8199-2ae2ff1331f8</SPAN><SPAN>","</SPAN><SPAN class="">space_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">uat</SPAN><SPAN>"},"</SPAN><SPAN class="">timestamp</SPAN><SPAN>"</SPAN><SPAN class="">:1694745712641480200}</SPAN></P><P><SPAN class="">I want Splunk query output to present like earlier. How to do this? Any suggestions?</SPAN></P><P>&nbsp;</P> Fri, 15 Sep 2023 03:09:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-field-having-key-value-pairs-delimited-by/m-p/657682#M227154 BK_MSP 2023-09-15T03:09:35Z Re: How to extract Json field having key value pairs delimited by pipe character? https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-field-having-key-value-pairs-delimited-by/m-p/658065#M227307 <P>I assume that Splunk already gives you msg as a field. &nbsp;You can then use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract" target="_blank" rel="noopener">extract</A> on it.</P><LI-CODE lang="markup">index=wf_pvsi_other wf_id=swbs wf_env=prod sourcetype="wf:swbs:profiling:txt" | rename msg as _raw | extract | search AppBody=SOR_RESP DestId=EIW | table SrcApp, SubApp, RefMsgNm, DestId, MsgNm | fillnull value=NA SubApp | top SrcApp, SubApp, RefMsgNm, DestId, MsgNm limit=100 | rename SrcApp as Channel, SubApp as "Sub Application", RefMsgNm as Message, DestId as SOR, MsgNm as "SOR Message" | fields Channel, "Sub Application", Message,SOR,"SOR Message",count | sort Channel,"Sub Application", Message,SOR, "SOR Message", count</LI-CODE><P>(As your new source is JSON, overriding _raw should be fine.) &nbsp;Hope this helps.</P> Wed, 20 Sep 2023 00:23:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-field-having-key-value-pairs-delimited-by/m-p/658065#M227307 yuanliu 2023-09-20T00:23:07Z