Solved: How to get json portion of log entry to display as...

ShagVT · ‎07-13-2018

Hey gang - hopefully this isn't to bad of a question and I'm missing something simple.

I have an application that is writing data that looks like this:
    018-07-13 05:48:30.343 PDT [pool-3-thread-3]  INFO STATUS - {"well_formed_json": "yes"}

The Json document is far more elaborate, of course ... just here so you can get an idea. So I've got a query that can display this json alone:

index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| table json

And this is great ... I get a table with all of my JSON blocks. That's good as far as that goes. But how do I get Splunk to actually format that as json with the nice color-coding and nested levels folding and whatnot?

somesoni2 · ‎07-13-2018

Give this a try

index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| rename json as _raw

View solution in original post

somesoni2 · ‎07-13-2018

Give this a try

index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| rename json as _raw

ShagVT · ‎07-13-2018

wow - it worked!!

somesoni2 · ‎07-13-2018

Splunk does the auto-json formatting for the field _raw on Events tab, update _raw to just have the pure json content worked here. If there are no follow-up questions to this, please close this question by accepting this answer.

ShagVT · ‎07-13-2018

My only followup answer would be this: is there any way to get a partial row to display as JSON (with syntax help, etc) or must we get where it is the whole row (by doing the _raw rename)?

How to get json portion of log entry to display as formatted JSON?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation