Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to parse an extracted field as json if the whole log line isn't json?

stevennoble
Explorer
‎10-22-2013 03:38 PM

If I have a line of my logs that look something like

[2013-10-18 23:36:50.785476] {"message":"some message", "headers": {"a": 1, "b": 2}}

is there a way I can use splunk's regex extraction to separate the timestamp from the json, then use splunk's json extraction to to extract fields from the json?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-22-2013 04:11 PM

You can't use KV_MODE=json in props.conf because in its current state the event is not fully json. Additionally you can't extract the rest of the messages and then use the same setting on it (again, from props.conf). However, you can do it inline with spath.

Extract the whole json message in a field called, say, my_field, then use spath:

...| spath input=my_field

View solution in original post

Reply
Solved! Jump to solution

kamermans
Path Finder
‎07-15-2014 10:24 AM

You can remove the string leader using any the following methods:

  1. Remove leader by pretending it's a line breaker

    LINE_BREAKER=((:?^|\n).+?){
    SHOULD_LINEMERGE=false

  2. Removing the leader with SEDCMD:

    SEDCMD-StripHeader=s/^[^{]+//

  3. Removing the leader via a transform on _raw:

    ; in transforms.conf:
    [StripSyslog]
    REGEX = ^[^{]+(.*)$
    FORMAT = $1
    DEST_KEY = _raw


    ; in props.conf:
    TRANSFORMS-StripSyslog = StripSyslog

All these methods will work with KV_MODE=json, but note that currently they will not work with INDEXED_EXTRACTIONS=json.

Reply
Solved! Jump to solution

prees
Explorer
‎12-08-2015 01:39 PM

Second what @wsnyder2 said. Is it possible to do this and still retain the info from the header?

EDIT: or is it possible to pre-transform them based on the header then apply this transform?

0 Karma
Reply
Solved! Jump to solution

wsnyder2
Path Finder
‎10-30-2015 08:00 AM

Can I do this and keep my header?

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-22-2013 04:11 PM

You can't use KV_MODE=json in props.conf because in its current state the event is not fully json. Additionally you can't extract the rest of the messages and then use the same setting on it (again, from props.conf). However, you can do it inline with spath.

Extract the whole json message in a field called, say, my_field, then use spath:

...| spath input=my_field

Reply
Solved! Jump to solution

wsnyder2
Path Finder
‎10-30-2015 07:51 AM

This is a bummer ... We have jason as part of an event. Would love to have field extraction happen under the hood, e.g. in props.conf or transforms.conf.
Seems like there is a way based on postings in this thread. (?)

0 Karma
Reply
Solved! Jump to solution

prees
Explorer
‎12-08-2015 01:29 PM

Was any one able to do this? as originally described, ie. without using spath?

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-22-2013 04:22 PM

Inline in a search. You can follow the ..|spath input=my_field with any other search commands. More details and examples here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

0 Karma
Reply
Solved! Jump to solution

stevennoble
Explorer
‎10-22-2013 04:19 PM

This is something that I'd use in a search? Or can this be applied to a log source?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...