https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320362#M95749 <P>I tried looking up for a solution and went through almost all suggestions. None worked for me. I have the following json log that i want to convert to table. This is the raw representation for the json. </P> <PRE><CODE>{"timestamp": "2017-05-28T19:34:15.698Z", "F_A": "valuefor_F_A", "F_B": "valuefor_F_B", "F_C": "{\"x\":\"valuefor_x\",\"y\":\"valuefor_y\",\"z\":\"valuefor_z\"}", "F_D": "valuefor_F_D" } </CODE></PRE> <P>Field F_C contains most of the info which i want to see in a table. I also need the timestamp in the table. So basically here is what i am looking for </P> <PRE><CODE>x y z timestamp ===================================================================== valuefor_x valuefor_y valuefor_z 2017-05-28T19:34:15.698Z </CODE></PRE> <P>Any suggestions?</P> Mon, 29 May 2017 01:59:56 GMT splunk_skr 2017-05-29T01:59:56Z https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320362#M95749 <P>I tried looking up for a solution and went through almost all suggestions. None worked for me. I have the following json log that i want to convert to table. This is the raw representation for the json. </P> <PRE><CODE>{"timestamp": "2017-05-28T19:34:15.698Z", "F_A": "valuefor_F_A", "F_B": "valuefor_F_B", "F_C": "{\"x\":\"valuefor_x\",\"y\":\"valuefor_y\",\"z\":\"valuefor_z\"}", "F_D": "valuefor_F_D" } </CODE></PRE> <P>Field F_C contains most of the info which i want to see in a table. I also need the timestamp in the table. So basically here is what i am looking for </P> <PRE><CODE>x y z timestamp ===================================================================== valuefor_x valuefor_y valuefor_z 2017-05-28T19:34:15.698Z </CODE></PRE> <P>Any suggestions?</P> Mon, 29 May 2017 01:59:56 GMT https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320362#M95749 splunk_skr 2017-05-29T01:59:56Z https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320363#M95750 <P>The timestamp should be auto recognized:</P> <P>Here's my "down and dirty, cell phone typed answer":</P> <PRE><CODE> ... | rex 'x\\":\\"(?&lt;x&gt;.+)\\",\\"y\\":\\"(?&lt;y&gt;.+)\\",\\"z\\":\\"(?&lt;z&gt;.+)\\"}"' | table x y z _time </CODE></PRE> Mon, 29 May 2017 02:24:08 GMT https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320363#M95750 jkat54 2017-05-29T02:24:08Z https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320364#M95751 <P>Thanks,,there are syntactical errors..trying to fix now.</P> Mon, 29 May 2017 04:45:36 GMT https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320364#M95751 splunk_skr 2017-05-29T04:45:36Z https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320365#M95752 <P>Unable to make it work. any other suggestions?</P> Mon, 29 May 2017 05:11:02 GMT https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320365#M95752 splunk_skr 2017-05-29T05:11:02Z https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320366#M95753 <P>Change the double slashes to triple slashes, if that don't work make them quad slashes. Sorry I couldn't test first, but I'm far away from my computer.</P> Mon, 29 May 2017 13:17:26 GMT https://community.splunk.com/t5/Splunk-Search/Convert-JSON-to-table/m-p/320366#M95753 jkat54 2017-05-29T13:17:26Z