Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract JSON from log event

splunk_skr
Explorer
‎03-01-2018 09:15 AM

Hi, I am trying to come up with a REGEX that would give me the entire json from the log event. Here is how my log looks like

TIMESTAMP  CHARS {
  "a": "1",
  "b": {
    "c": "2",
    "d": "3",
    "e": {
      "f": "4",
      "g": "5",
      "h": "6",
      "i": "7"
    },
    "j": "8",
    "k": "9"
  }
}

REGEX i could come up with search | rex "(?<jsonData>{[^}]+})" | spath input=jsonData is removing all data after the first } closes. Any suggestions to fix this pls.

0 Karma
Reply

somesoni2
Revered Legend
‎03-01-2018 09:35 AM

Try this

search | rex "^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData
0 Karma
Reply

splunk_skr
Explorer
‎03-01-2018 09:41 AM

This did not work but your suggestion helped me modify my existing pattern. rex "(?<jsonData>{[^}].+})" works for me.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎03-01-2018 12:10 PM

Does the search result have the fields available that are JSON hierarchically denoted? If not, it might not be viewing the data as JSON data. Your example has characters BEFORE the JSON string, which can cause the JSON parsing to not work. If Splunk is not viewing the data as JSON data, then that is your (first) problem. Remove the non-JSON string characters from the front of the event and it will likely work (no guarantees, as there could be some other problem, that that is a highly likely cause of @somesoni2's suggestion not working).

0 Karma
Reply

jasongb
Path Finder
‎10-24-2018 07:29 AM

I don't know about the original poster, but in my case, Cloudwatch is pre-pending data to what would otherwise be pure JSON. The characters BEFORE the string are not any content that we're specifically logging, they're a byproduct of the Cloudwatch log.

Any suggestions on how to remove the non-JSON string characters from the front of an event logged via Cloudwatch?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...