https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315352#M94408 <P>Hi all, </P> <P>I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:</P> <PRE><CODE>"DevEUI_uplink": { "AckRequested": "1", "DevLrrCnt": "5", "rawMacCommands": "", "Late": "0", "ADRbit": "1", "LrrLON": "6.440177", "payload_hex": "00a0723a032805af1eb9006d4a9b000000", "Channel": "LC1", "FPort": "4", "DevAddr": "15293375" </CODE></PRE> <P>It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?</P> <P><STRONG>EDIT:</STRONG> suggestions about where to learn this or specific tutorials are welcome as well.</P> <P>Any help is much appreciated!</P> Fri, 07 Apr 2017 06:54:12 GMT jankappe 2017-04-07T06:54:12Z https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315352#M94408 <P>Hi all, </P> <P>I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:</P> <PRE><CODE>"DevEUI_uplink": { "AckRequested": "1", "DevLrrCnt": "5", "rawMacCommands": "", "Late": "0", "ADRbit": "1", "LrrLON": "6.440177", "payload_hex": "00a0723a032805af1eb9006d4a9b000000", "Channel": "LC1", "FPort": "4", "DevAddr": "15293375" </CODE></PRE> <P>It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?</P> <P><STRONG>EDIT:</STRONG> suggestions about where to learn this or specific tutorials are welcome as well.</P> <P>Any help is much appreciated!</P> Fri, 07 Apr 2017 06:54:12 GMT https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315352#M94408 jankappe 2017-04-07T06:54:12Z https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315353#M94409 <P>You can do it by adding search time extraction in props.conf. <BR /> i.e <CODE>EVAL-temprature= substr(DevEUI_uplink. payload_hex,0,4)</CODE></P> <P>You can also write REGEX as well. Please refer docs at <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A></P> Fri, 07 Apr 2017 12:28:38 GMT https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315353#M94409 hardikJsheth 2017-04-07T12:28:38Z https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315354#M94410 <P>Thank you, i will look into it!</P> Fri, 07 Apr 2017 12:33:33 GMT https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315354#M94410 jankappe 2017-04-07T12:33:33Z https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315355#M94411 <P>If that solved your issue, please accept the answer. If it was helpful but did not completely solve the issue, then you can upvote it instead.</P> Fri, 07 Apr 2017 15:48:37 GMT https://community.splunk.com/t5/Splunk-Search/Adding-additional-field-from-one-json-field/m-p/315355#M94411 DalJeanis 2017-04-07T15:48:37Z