Re: Extract Json string from log event

rameshlpatel · ‎08-22-2016

I have below log format using search query I want to extract json string starting from category field and want automatically make key value pair attributes. Here twist is I dont have access to change conf files.

2016-08-22 08:35:12,914 +00:00 [INFO] [XXXXXX] {"category":"XXXX","source":"XXXX","type":"ApplicationLaunch","referrer":"XXXXX","dateLogged":"2016-08-22 08:35:12,914 +00:00","args":{"topUrl":"XXXXXX"}}

Please help me if splunk provides such feature to extract json string using search query.

renjith_nair · ‎08-22-2016

You need to extract json part of your log message and pass it to spath to get the fields extracted automatically.

Try this - based on your sample data above

your base search |rex field=_raw "^(?:[^ \n]* ){5}(?P<my_json>\{\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\d+\-\d+\-\d+\s+\d+:\d+:\d+,\d+\s+\+\d+:\d+\",\"\w+\":\{\"\w+\":\"\w+\"\}\})"|fields my_json|spath input=my_json

Above filed extraction is taken from Splunk field extraction and needs to be tuned for your specific requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extract Json string from log event

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Extract Json string from log event

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...