https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711954#M240267 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/86891">@mbasharat</a>&nbsp;</P><P>Add "| spath input=body" to your SPL - this will then extract the fields within the body JSON key as keyval fields in your results.</P><P>Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.<BR />Regards</P><P>Will</P> Tue, 18 Feb 2025 22:21:57 GMT livehybrid 2025-02-18T22:21:57Z https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711950#M240266 <P>Hi. I have below raw event/s.<BR /><BR /><STRONG>Highlighted Syntax:</STRONG><BR /><SPAN>{ [-]</SPAN><SPAN><BR />&nbsp;&nbsp;&nbsp;<SPAN class=""><SPAN class="">body</SPAN>:&nbsp;<SPAN class="">{"isolation": "isolation","device_classification": "Network Access Control","ip": "1.2.3.4", "mac": "Unknown","dns_hn": "XYZ","policy": "TEST_BLOCK","network_fn": "CounterACT Device","os_fingerprint": "CounterACT Appliance","nic_vendor": "Unknown Vendor","ipv6": "Unknown",}</SPAN></SPAN><BR />&nbsp;&nbsp;&nbsp;<SPAN class=""><SPAN class="">ctupdate</SPAN>:&nbsp;<SPAN class="">notif</SPAN></SPAN><BR />&nbsp;&nbsp;&nbsp;<SPAN class=""><SPAN class="">eventTimestamp</SPAN>:&nbsp;<SPAN class="">1739913406</SPAN></SPAN><BR />&nbsp;&nbsp;&nbsp;<SPAN class=""><SPAN class="">ip</SPAN>:&nbsp;<SPAN class="">1.2.3.4</SPAN></SPAN><BR />&nbsp;&nbsp;&nbsp;<SPAN class=""><SPAN class="">tenant_id</SPAN>:&nbsp;<SPAN class="">CounterACT__sample</SPAN></SPAN></SPAN><BR /><SPAN>}</SPAN><BR /><BR /><STRONG>Raw Text:</STRONG><BR /><SPAN>{"</SPAN><SPAN class="">tenant_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">CounterACT__sample</SPAN><SPAN>","</SPAN><SPAN class="">body</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"{</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">isolation\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">isolation\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">device_classification\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">Network</SPAN> <SPAN class="">Access</SPAN> <SPAN class="">Control\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">ip\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">1.2.3.4\</SPAN><SPAN>", </SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">mac\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">Unknown\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">dns_hn\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">XYZ\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">policy\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"TEST</SPAN><SPAN class="">_BLOCK\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">network_fn\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">CounterACT</SPAN> <SPAN class="">Device\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">os_fingerprint\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">CounterACT</SPAN> <SPAN class="">Appliance\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">nic_vendor\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">Unknown</SPAN> <SPAN class="">Vendor\</SPAN><SPAN>",</SPAN><SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">ipv6\</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN> <SPAN class="">\</SPAN><SPAN>"</SPAN><SPAN class="">Unknown\</SPAN><SPAN>",}","</SPAN><SPAN class="">ctupdate</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">notif</SPAN><SPAN>","</SPAN><SPAN class="">ip</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"1.2.3.4</SPAN><SPAN>","</SPAN><SPAN class="">eventTimestamp</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">1739913406</SPAN><SPAN>"}<BR /><BR /></SPAN>I need below fields=value extracted from each event at search time. It is a very small dataset:<BR /><BR />isolation=isolation<BR />policy=TEST_BLOCK<BR />ctupdate=notif<BR />ip=1.2.3.4<BR />ipv6=Unknown<BR />mac=Unknown<BR />dns_hn=XYZ<BR />eventTimestamp=<SPAN class="">1739913406</SPAN><BR /><BR />Thank you in advance!!!<BR /><BR /></P> Tue, 18 Feb 2025 21:36:02 GMT https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711950#M240266 mbasharat 2025-02-18T21:36:02Z https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711954#M240267 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/86891">@mbasharat</a>&nbsp;</P><P>Add "| spath input=body" to your SPL - this will then extract the fields within the body JSON key as keyval fields in your results.</P><P>Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.<BR />Regards</P><P>Will</P> Tue, 18 Feb 2025 22:21:57 GMT https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711954#M240267 livehybrid 2025-02-18T22:21:57Z https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711956#M240269 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;!!!!! I knew I was dosing off at the end of the day.... LOL</P> Tue, 18 Feb 2025 22:35:38 GMT https://community.splunk.com/t5/Splunk-Search/JSON-extraction-needed/m-p/711956#M240269 mbasharat 2025-02-18T22:35:38Z