- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/b2514/b2514812aadf402f6732ec1e5e1110e0a569310b" alt="ShagVT ShagVT"
Hey gang - hopefully this isn't to bad of a question and I'm missing something simple.
I have an application that is writing data that looks like this:
018-07-13 05:48:30.343 PDT [pool-3-thread-3] INFO STATUS - {"well_formed_json": "yes"}
The Json document is far more elaborate, of course ... just here so you can get an idea. So I've got a query that can display this json alone:
index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| table json
And this is great ... I get a table with all of my JSON blocks. That's good as far as that goes. But how do I get Splunk to actually format that as json with the nice color-coding and nested levels folding and whatnot?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Give this a try
index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| rename json as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Give this a try
index="myindex" | rex field=_raw "INFO STATUS - (?<json>.*)"| rename json as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/b2514/b2514812aadf402f6732ec1e5e1110e0a569310b" alt="ShagVT ShagVT"
wow - it worked!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
Splunk does the auto-json formatting for the field _raw on Events tab, update _raw to just have the pure json content worked here. If there are no follow-up questions to this, please close this question by accepting this answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/b2514/b2514812aadf402f6732ec1e5e1110e0a569310b" alt="ShagVT ShagVT"
My only followup answer would be this: is there any way to get a partial row to display as JSON (with syntax help, etc) or must we get where it is the whole row (by doing the _raw rename)?
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""