How to extract JSON object parameters that change ...

mannkhor · ‎04-29-2018

Hi, quite a beginner here with Splunk. Is there a way to simply extract all parameters in below JSON object? The parameters returned can change based on partner.

Search: host=tp* index=pie *Avianca* OR *AFKLM* OR *British* OR *Etihad* OR *Sears* OR *IHG* OR *JETBLUE* OR *JET* OR *CARLSON* OR *EMirates* OR *Atlantic* MemberValidation RSP_JSON

<2018-04-29 23:04:18,658> TR0414012531-675696 [0e775a48ffdb4b61ab03c6af6785805d]: [RSP_JSON] [/JetBlue_PointsCore/JetBlue/MemberValidation] {
  "membershipLevel": "",
  "memberId": "",
  "status": "",
  "partnerResponseMessage": "",
  "firstName": "",
  "lastName": "",
  "accountStatus": "",
  "membershipNumber": "",
  "balance": ,
  "partnerResponseCode": "",
  "email": "",
  "accountCreationDate": "",
  "stage": ""
}

xpac · ‎04-30-2018

Did you try setting KV_MODE=JSON in the corresponding sourcetype in props.conf?
That should actually extract fields from JSON on it's own.

To access certain fields without changing KV_MODE, take a look at | spath here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

How to extract JSON object parameters that change based on search variable?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >

How to extract JSON object parameters that change based on search variable?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >