https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300257#M90402 <P>I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search <CODE>| spath input=Payload</CODE>, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an <CODE>EVAL-</CODE> statement with the <CODE>spath()</CODE> function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:</P> <P><CODE>EVAL-Payload = spath(Payload, "*")</CODE></P> Sat, 07 Oct 2017 04:31:54 GMT _smp_ 2017-10-07T04:31:54Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300257#M90402 <P>I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search <CODE>| spath input=Payload</CODE>, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an <CODE>EVAL-</CODE> statement with the <CODE>spath()</CODE> function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:</P> <P><CODE>EVAL-Payload = spath(Payload, "*")</CODE></P> Sat, 07 Oct 2017 04:31:54 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300257#M90402 _smp_ 2017-10-07T04:31:54Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300258#M90403 <P>Hi @scottprigge <BR /> I have the same issue here with a JSON payload, but I couldn't figure out how to extract the data on the JSON field to make the data search. Can you show me how you manage to get the data of the JSON payload within the props?</P> <P>one of my events:</P> <PRE><CODE>05/18/2019 00:00:00 +0200, info_search_time=1558442780.272, application=axo, createDate="01/01/2019", description=mydesc, id=123456789, results="{\"results\":{\"myDate\":\"27/04/2019\",\"myId\":\"3215AAA_24369\",\"myClientId\":\"12345\",\"myType\":\"Total\"}}" </CODE></PRE> <P>My props.conf for this sourcetype:</P> <PRE><CODE>[extract_json] REGEX = \"(?&lt;field&gt;[^\"]+)\":\"(?&lt;value&gt;[^\"]+) FORMAT= "$1"::"$2" WRITE_META = true </CODE></PRE> <P>I couldn't make this thing work.</P> <P>Thank you!!</P> Tue, 21 May 2019 10:39:42 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300258#M90403 faguilar 2019-05-21T10:39:42Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300259#M90404 <P>Please see similar question and answer<BR /> <A href="https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html">https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html</A></P> Tue, 21 May 2019 10:48:10 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300259#M90404 koshyk 2019-05-21T10:48:10Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300260#M90405 <P>@faguilar , please find the similar post below</P> Tue, 21 May 2019 10:52:01 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300260#M90405 koshyk 2019-05-21T10:52:01Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300261#M90406 <P>Thank you @koshyk!!! Sorry I didn't saw the answer</P> Tue, 21 May 2019 13:12:15 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300261#M90406 faguilar 2019-05-21T13:12:15Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300262#M90407 <P>no probs. if it has helped you, please upvote/accept. cheers</P> Wed, 22 May 2019 16:16:04 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-fields-in-mixed-data-structure-with-props/m-p/300262#M90407 koshyk 2019-05-22T16:16:04Z