https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704416#M238699 <P>Team,<BR />I am bit new to Splunk, need help to pull ERR message from below sample raw data.&nbsp;<BR /><BR />{"hosting_environment": "nonp", "application_environment": "nonp", "message": "[20621] 2024/11/14 12:39:46.899958 [ERR] 10.25.1.2:30080 - pid:96866" - unable to connect to endpoint , "service": "hello world"}</P><P>&nbsp;</P><P>Thanks!</P> Thu, 14 Nov 2024 13:36:03 GMT drogo 2024-11-14T13:36:03Z https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704416#M238699 <P>Team,<BR />I am bit new to Splunk, need help to pull ERR message from below sample raw data.&nbsp;<BR /><BR />{"hosting_environment": "nonp", "application_environment": "nonp", "message": "[20621] 2024/11/14 12:39:46.899958 [ERR] 10.25.1.2:30080 - pid:96866" - unable to connect to endpoint , "service": "hello world"}</P><P>&nbsp;</P><P>Thanks!</P> Thu, 14 Nov 2024 13:36:03 GMT https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704416#M238699 drogo 2024-11-14T13:36:03Z https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704417#M238700 <P>This is a bit vague - Do you want to search for events that have ERR in? Do you want to extract what comes after "[ERR}" in the message field? Do you already have these JSON fields extracted?</P> Thu, 14 Nov 2024 13:42:49 GMT https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704417#M238700 ITWhisperer 2024-11-14T13:42:49Z https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704418#M238701 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254896">@drogo</a>&nbsp;,</P><P>if you use the INDEXED_EXTRACTIONS=JSON option for the sourcetype you're using for those data, you have all the fileds extracted.</P><P>If you don't see this field, youcan use a regex to extract it:</P><LI-CODE lang="markup">| rex "\d*\s\[(?&lt;message&gt;[^\]]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/QcGAwT/1" target="_blank">https://regex101.com/r/QcGAwT/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 14 Nov 2024 13:46:20 GMT https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704418#M238701 gcusello 2024-11-14T13:46:20Z https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704477#M238709 <P>If your events are truly in JSON, you are asking the wrong question. &nbsp;Let me explain.</P><P>The sample you illustrated above is not JSON compliant. &nbsp;Specifically, quotation marks are badly placed. &nbsp;So, the most important question is whether the sample is faithful. &nbsp;Or do you mean a compliant JSON like this:</P><LI-CODE lang="markup">{"hosting_environment": "nonp", "application_environment": "nonp", "message": "[20621] 2024/11/14 12:39:46.899958 [ERR] 10.25.1.2:30080 - pid:96866 - unable to connect to endpoint", "service": "hello world"}</LI-CODE><P>Assuming your raw events are JSON compliant, Splunk would give you a field named <U>message</U>. &nbsp;The task is simply to extract the desired part from this field. &nbsp;In other words, the fact that data is JSON should have no bearing on your question. &nbsp;If I read your mind correctly, you want the string after [ERR]. (I'm not joking about reading mind. &nbsp;You should always illustrate what you want using sample data.) &nbsp;Therefore</P><LI-CODE lang="markup">| rex field=message "\[ERR\] (?&lt;error&gt;.+)"</LI-CODE><P>If, on the other hand, your raw events are mangled like in your illustration, the answer will depend on how badly mangled the events are. &nbsp;The best solution would be to implore your developers to fix the log.</P><P>Either way, the question is really not about JSON.</P> Fri, 15 Nov 2024 06:41:06 GMT https://community.splunk.com/t5/Splunk-Search/Filter-data-from-json-file/m-p/704477#M238709 yuanliu 2024-11-15T06:41:06Z