How to extract JSON object parameters that change ...

mannkhor · ‎04-29-2018

Hi, quite a beginner here with Splunk. Is there a way to simply extract all parameters in below JSON object? The parameters returned can change based on partner.

Search: host=tp* index=pie *Avianca* OR *AFKLM* OR *British* OR *Etihad* OR *Sears* OR *IHG* OR *JETBLUE* OR *JET* OR *CARLSON* OR *EMirates* OR *Atlantic* MemberValidation RSP_JSON

<2018-04-29 23:04:18,658> TR0414012531-675696 [0e775a48ffdb4b61ab03c6af6785805d]: [RSP_JSON] [/JetBlue_PointsCore/JetBlue/MemberValidation] {
  "membershipLevel": "",
  "memberId": "",
  "status": "",
  "partnerResponseMessage": "",
  "firstName": "",
  "lastName": "",
  "accountStatus": "",
  "membershipNumber": "",
  "balance": ,
  "partnerResponseCode": "",
  "email": "",
  "accountCreationDate": "",
  "stage": ""
}

xpac · ‎04-30-2018

Did you try setting KV_MODE=JSON in the corresponding sourcetype in props.conf?
That should actually extract fields from JSON on it's own.

To access certain fields without changing KV_MODE, take a look at | spath here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

How to extract JSON object parameters that change based on search variable?

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?

How to extract JSON object parameters that change based on search variable?

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!