Re: Extract Json string from log event

rameshlpatel · ‎08-22-2016

I have below log format using search query I want to extract json string starting from category field and want automatically make key value pair attributes. Here twist is I dont have access to change conf files.

2016-08-22 08:35:12,914 +00:00 [INFO] [XXXXXX] {"category":"XXXX","source":"XXXX","type":"ApplicationLaunch","referrer":"XXXXX","dateLogged":"2016-08-22 08:35:12,914 +00:00","args":{"topUrl":"XXXXXX"}}

Please help me if splunk provides such feature to extract json string using search query.

renjith_nair · ‎08-22-2016

You need to extract json part of your log message and pass it to spath to get the fields extracted automatically.

Try this - based on your sample data above

your base search |rex field=_raw "^(?:[^ \n]* ){5}(?P<my_json>\{\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\w+\",\"\w+\":\"\d+\-\d+\-\d+\s+\d+:\d+:\d+,\d+\s+\+\d+:\d+\",\"\w+\":\{\"\w+\":\"\w+\"\}\})"|fields my_json|spath input=my_json

Above filed extraction is taken from Splunk field extraction and needs to be tuned for your specific requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extract Json string from log event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation