Re: Extract Json string from log event

rameshlpatel · ‎08-22-2016

I have below log format using search query I want to extract json string starting from category field and want automatically make key value pair attributes. Here twist is I dont have access to change conf files.

2016-08-22 08:35:12,914 +00:00 [INFO] [XXXXXX] {"category":"XXXX","source":"XXXX","type":"ApplicationLaunch","referrer":"XXXXX","dateLogged":"2016-08-22 08:35:12,914 +00:00","args":{"topUrl":"XXXXXX"}}

Please help me if splunk provides such feature to extract json string using search query.

renjith_nair · ‎08-22-2016

You need to extract json part of your log message and pass it to spath to get the fields extracted automatically.

Try this - based on your sample data above

your base search |rex field=_raw "^(?:[^ \n]* ){5}(?P<my_json>\{\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\d+\-\d+\-\d+\s+\d+:\d+:\d+,\d+\s+\+\d+:\d+\",\"\w+\":\{\"\w+\":\"\w+\"\}\})"|fields my_json|spath input=my_json

Above filed extraction is taken from Splunk field extraction and needs to be tuned for your specific requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extract Json string from log event

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Extract Json string from log event

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem