Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get Splunk to recognize and parse one of my field values in JSON format?

brent_weaver
Builder
‎11-03-2016 01:02 PM

I have perfect key/value pairs in my log (I am using the Splunk Add-on for Microsoft Azure to get table storage logs). The logs have:

LogTyppe:    LogTyppe   
MessageDetail:   {"test"="this will work", "name"="value", "name1"="value1", "name2"="value2"}
MessageSummary:  MessageSummary 
NetworkAddress:  NetworkAddress

Notice in MessageDetail there is a JSON formatted string... How do I get Splunk to recognize that one of the field values as json format?

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎11-30-2016 03:22 PM

Hi, @ brent_weaver, please update the title and question and avoid saying the event is json. Otherwise, people misunderstand this question itself.

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎11-06-2016 12:24 PM 
 {"test"="this will work", "name"="value", "name1"="value1", "name2"="value2"}

This is not json format???

Assuming you have json format value for MessageDetail field, 

 <your search> | spath input=MessageDetail
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-29-2016 11:33 PM

http://json.org/example.html is an example of what JSON data actually looks like, the above is key=value which is not JSON...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-28-2016 06:26 PM

using spath in verbose mode?

0 Karma
Reply

brent_weaver
Builder
‎11-07-2016 03:31 AM

THANK YOU for the answer. Let me ask a little bit differently, how do I get this field to be treated as interesting fields?

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎11-08-2016 02:59 PM

Sorry but I do not understand your question.
Also, instead of creating a new answer, can you add comment to an existing answer or, update your question as more elaborated question?

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎11-29-2016 10:37 AM

I'm still trying to understand your question especially your word "this field" above. Maybe it is because I do not understand Azure event contents.

Assuming you want to have Key-Value field extraction for any format of "key"="value" string, you can achieve it in transforms.conf and props.conf.
Note: I'm assuming sourcetype is azure_test in this example. 

- props.conf
[azure_test]
REPORT-extract_kv = extact_kv

- transforms.conf
[extract_kv]
REGEX = "(?<_KEY_1>[^\"]+)"="(?<_VAL_1>[^\"]+)"

Of course using this idea, you can do more specific for only for certain field value, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...