Re: Extract Json string from log event

rameshlpatel · ‎08-22-2016

I have below log format using search query I want to extract json string starting from category field and want automatically make key value pair attributes. Here twist is I dont have access to change conf files.

2016-08-22 08:35:12,914 +00:00 [INFO] [XXXXXX] {"category":"XXXX","source":"XXXX","type":"ApplicationLaunch","referrer":"XXXXX","dateLogged":"2016-08-22 08:35:12,914 +00:00","args":{"topUrl":"XXXXXX"}}

Please help me if splunk provides such feature to extract json string using search query.

renjith_nair · ‎08-22-2016

You need to extract json part of your log message and pass it to spath to get the fields extracted automatically.

Try this - based on your sample data above

your base search |rex field=_raw "^(?:[^ \n]* ){5}(?P<my_json>\{\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\d+\-\d+\-\d+\s+\d+:\d+:\d+,\d+\s+\+\d+:\d+\",\"\w+\":\{\"\w+\":\"\w+\"\}\})"|fields my_json|spath input=my_json

Above filed extraction is taken from Splunk field extraction and needs to be tuned for your specific requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extract Json string from log event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation