Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting JSON/XML from string entry and dispalying in table

amith7
New Member
‎02-28-2019 08:24 PM

I am trying to extract various fields from below entry in splunk.
I executed the below splunk query :
index=test_index source="testlogs.log" "InteractionId=test_interaction_id1" | search("||url") | table service,operation,status,status_code,exception,duration,url,request, response
The below is splunk log entry:
2019-02-28 22:21:34.248 [UUID=d791aecb-c320-453a-9207-bf96e01beaaf|InteractionId=test_interaction_id1] INFO com.test.MyLogger - service="TestService"||operation="testOperation"||url="http://localhost:8080/testservice/v4/testOperation"||request="{\"customer\":{\"id\":\"80\",\"name\":...".
request and response fields which are XML or JSON are not displayed properly in the table.
JSON is dispalyed as {\

I would like to have the complete JSON and XML in the table.

Thanks in Advance!

0 Karma
Reply

efavreau
Motivator
‎03-01-2019 02:22 PM

@amith7 What does the raw event look like? Your code post isn't clear. To be clear, please edit your question, highlighting the event and then using the code tool button. That's the button that looks like the 101010.
Without more information, the JSON doesn't look standard. I would use the rex (short for regular expression) command to slice out exactly what you want into a new field.
Here's the documentation for the rex command: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Rex

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2019 07:29 AM

What do you mean by "request and response fields which are XML or JSON are not displayed properly in the table"? They will not be pretty-printed, if that's what you mean.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

amith7
New Member
‎03-01-2019 08:05 AM

I am trying to extract various fields from below entry in splunk.

I executed the below splunk query :
index=test_index source="testlogs.log" "InteractionId=test_interaction_id1" | search("||url") | table service,operation,status,status_code,exception,duration,url,request, response

The below is splunk log entry:
2019-02-28 22:21:34.248 [UUID=d791aecb-c320-453a-9207-bf96e01beaaf|InteractionId=test_interaction_id1] INFO com.test.MyLogger - service="TestService"||operation="testOperation"||url="http://localhost:8080/testservice/v4/testOperation"||request="{\"customer\":{\"id\":\"80\",\"name\":..."

request and response fields which are XML or JSON are not displayed properly in the table.
JSON is dispalyed as {\

I would like to have the complete JSON and XML in the table.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2019 04:20 PM

You've just re-posted the original question twice without fixing the error, improving the formatting, or adding clarifying information. Help us help you!

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nickhills
Ultra Champion
‎03-01-2019 07:48 AM

Can you repost using the code tool 101010 ?
It looks like some of your content has been stripped from the question (probably because it looked like XML/HTML)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

amith7
New Member
‎03-01-2019 07:57 AM

I am trying to extract various fields from below entry in splunk.

I executed the below splunk query :
index=test_index source="testlogs.log" "InteractionId=test_interaction_id1" | search("||url") | table service,operation,status,status_code,exception,duration,url,request, response

The below is splunk log entry:
2019-02-28 22:21:34.248 [UUID=d791aecb-c320-453a-9207-bf96e01beaaf|InteractionId=test_interaction_id1] INFO com.test.MyLogger - service="TestService"||operation="testOperation"||url="http://localhost:8080/testservice/v4/testOperation"||request="{\"customer\":{\"id\":\"80\",\"name\":..."

request and response fields which are XML or JSON are not displayed properly in the table.
JSON is dispalyed as {\

I would like to have the complete JSON and XML in the table.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top