Re: Extracting values from a json log file

Splunkster45 · ‎07-31-2018

I have log file that looks like the following:

what's the best way to extract each value here. I want to evetually download this as a csv file. I'm okay with the dictionary/json for message still being a dictionary/json.

{"source_host":"a.com","method":"new","level":"INFO","message":"value = {\"sessionId\" :\"1\",\"number\":\"2\"}"}

I tried using | spath output=_raw path=source_host, but and that worked, but I can't get multiple fields e.g.

| spath output=_raw path=source_host|method 
| spath output=_raw path=source_host,method
| spath output=_raw path=*

Any thoughts?

somesoni2 · ‎07-31-2018

Just use the spath command (no other parameter) to extract all fields, as long as your raw data is in pure json format. See this runanywhere sample based off your sample data (additional backslashes are added to inline data generation)

| gentimes start=-1 | eval _raw="{\"source_host\":\"a.com\",\"method\":\"new\",\"level\":\"INFO\",\"message\":\"value = {\\\"sessionId\\\" :\\\"1\\\",\\\"number\\\":\\\"2\\\"}\"}" | table _raw 
| spath

sudosplunk · ‎07-31-2018

Give this a try |spath output=_raw | table *

If you want to extract multiple values, have a look here.

Extracting values from a json log file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation