topic Re: How to extract fields from JSON data in Splunk? in Splunk Search

How to extract fields from JSON data in Splunk?

kotig — Sun, 07 Feb 2016 07:27:02 GMT

We have the below data, out of which I wanted to extract specific data from the json format.

06/Feb/2016:16:10:06.501 [bd5d5700]        
 {
"success":
{
"success_code":"200",
"request path":"/testedata",
"correlation ID":"Id-5teata"
        }
}

Re: How to extract fields from JSON data in Splunk?

javiergn — Sun, 07 Feb 2016 10:54:41 GMT

Take a look at the spath command, it will do that for you automatically:

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/spath

Re: How to extract fields from JSON data in Splunk?

kotig — Mon, 08 Feb 2016 18:33:58 GMT

We have tried to do using the spath, but I did not get the expected response as our log files are not json totally. Those are text log files which contains the json objects in middle somewhere.. please let me know if there is another way where we can extract the json object.

Re: How to extract fields from JSON data in Splunk?

javiergn — Mon, 08 Feb 2016 19:23:32 GMT

If you have already extracted your fields then simply pass the relevant JSON field to spath like this:

| spath input=YOURFIELDNAME

If you haven't manage to extract the JSON field just yet and your events look like the one you posted above, then try the following:

yoursearch
| rex field=_raw "(?msi)(?<json_field>\{.+\}$)"
| spath input=json_field

That will just extract just the json bits from your event.

Re: How to extract fields from JSON data in Splunk?

kotig — Mon, 08 Feb 2016 22:37:31 GMT

Thanks that helped.. that is what I was looking for. Thank you for a quick reply.

Re: How to extract fields from JSON data in Splunk?

rodneyjerome — Wed, 09 Nov 2016 07:28:41 GMT

Try using custom commands. This is very useful

http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Writeasearchcommand

Re: How to extract fields from JSON data in Splunk?

newbie2tech — Wed, 28 Jun 2017 15:26:48 GMT

thank you javiergn...your second search worked for my scenario..been trying since few hours ...

Re: How to extract fields from JSON data in Splunk?

dijikul — Fri, 17 Aug 2018 19:43:04 GMT

This is good if you're typing manual search results, but is it possible to auto-extract KV's from JSON once you've cleanly extracted the JSON into it's own field?

The raw events aren't ONLY JSON, and I want auto-extractions to occur against a particular field in all search cases, not only those with the spath command piped.

Am I dreaming?