- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting values from a json log file
Splunkster45
Communicator
07-31-2018
08:40 AM
I have log file that looks like the following:
what's the best way to extract each value here. I want to evetually download this as a csv file. I'm okay with the dictionary/json for message still being a dictionary/json.
{"source_host":"a.com","method":"new","level":"INFO","message":"value = {\"sessionId\" :\"1\",\"number\":\"2\"}"}
I tried using | spath output=_raw path=source_host, but and that worked, but I can't get multiple fields e.g.
| spath output=_raw path=source_host|method
| spath output=_raw path=source_host,method
| spath output=_raw path=*
Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-31-2018
10:45 AM
Just use the spath command (no other parameter) to extract all fields, as long as your raw data is in pure json format. See this runanywhere sample based off your sample data (additional backslashes are added to inline data generation)
| gentimes start=-1 | eval _raw="{\"source_host\":\"a.com\",\"method\":\"new\",\"level\":\"INFO\",\"message\":\"value = {\\\"sessionId\\\" :\\\"1\\\",\\\"number\\\":\\\"2\\\"}\"}" | table _raw
| spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sudosplunk
Motivator
07-31-2018
09:08 AM
Give this a try |spath output=_raw | table *
If you want to extract multiple values, have a look here.
