Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to parse key-value pairs from logs in JSON format?

rameshlpatel
Communicator
‎02-26-2015 12:51 PM

Hi, In my Java application, I am printing logs in JSON format. Here in JSON "message" field I am logging a value as key-value pair format (shown below).

message: {"TOKEN_ID":"5122b288-9201-4826-93e0-325ad7f2aa00","Result":"SUCCESS","Method":"validateToken()","DATE":"Thu Feb 26 04:42:30 CST 2015","REALM":"LDAP_AD","EMPLOYEE_ID":"999999"}

However SPLUNK parser is not able to parse them as SPLUNK fields like Result=SUCCESS, EMPLOYEE_ID=99999 etc. Please help me in this issue.

{ [-] 
   context: default 
   level: INFO 
   logger: com.wm.ocs.driverSecurity.service.impl.TokenValidationServiceImpl 
   message: {"TOKEN_ID":"5122b288-9201-4826-93e0-325ad7f2aa00","Result":"SUCCESS","Method":"validateToken()","DATE":"Thu Feb 26 04:42:30 CST 2015","REALM":"LDAP_AD","EMPLOYEE_ID":"999999"} 
   thread: WebContainer : 3 
   timestamp: 2015-02-26T04:42:30.456Z 
}
Tags (3)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-26-2015 02:39 PM

You can get all the values from the JSON string by setting the props.conf to know that the data is JSON formatted. If it is not completely JSON formatted, however, it will not work. In otherwords, the JSON string must be the only thing in the event. Even the date string must be found within the JSON string. When that works, you get the same effect as with KV pairs.

I've had success with setting my props.conf for the JSON data to have the following:

KV_MODE = json
SHOULD_LINEMERGE = true

The SHOULD_LINEMERGE should be set according to your events, where true would be for multi-line events.

Accessing the fields is simple enough where you go through the name by the hierarchy of the string. In your event, you might use something like message.EMPLOYEE_ID to access that field from the JSON string. See the spath documentation (http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Spath) for more information.

Reply

somesoni2
Revered Legend
‎02-26-2015 01:29 PM

By default, Splunk doesn't treat ":" as KV delimiter. Have a look at following post to see what you need to configure to achieve that.

http://answers.splunk.com/answers/34943/key-value-pair-extraction.html

0 Karma
Reply

rameshlpatel
Communicator
‎02-26-2015 01:37 PM

I have also tried as "=" as KV delimiter but SPLUNK considering as string value for message field. I want SPLUNK to consider that as inner JSON string and make it as KV pair.

Is there any way to configure splunk to parse inner JSON string ?

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎05-07-2015 03:49 AM

something like this? | extract pairdelim=",", kvdelim=":"
it will treat the field _raw only for all i know

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...