Solved: Is it possible to parse an extracted field as json...

stevennoble · ‎10-22-2013

If I have a line of my logs that look something like

[2013-10-18 23:36:50.785476] {"message":"some message", "headers": {"a": 1, "b": 2}}

is there a way I can use splunk's regex extraction to separate the timestamp from the json, then use splunk's json extraction to to extract fields from the json?

_d_ · ‎10-22-2013

You can't use KV_MODE=json in props.conf because in its current state the event is not fully json. Additionally you can't extract the rest of the messages and then use the same setting on it (again, from props.conf). However, you can do it inline with spath.

Extract the whole json message in a field called, say, my_field, then use spath:

...| spath input=my_field

View solution in original post

kamermans · ‎07-15-2014

You can remove the string leader using any the following methods:

Remove leader by pretending it's a line breaker
LINE_BREAKER=((:?^|\n).+?){ SHOULD_LINEMERGE=false
Removing the leader with SEDCMD:
SEDCMD-StripHeader=s/^[^{]+//
Removing the leader via a transform on _raw:
; in transforms.conf: [StripSyslog] REGEX = ^[^{]+(.*)$ FORMAT = $1 DEST_KEY = _raw
; in props.conf: TRANSFORMS-StripSyslog = StripSyslog

All these methods will work with KV_MODE=json, but note that currently they will not work with INDEXED_EXTRACTIONS=json.

prees · ‎12-08-2015

Second what @wsnyder2 said. Is it possible to do this and still retain the info from the header?

EDIT: or is it possible to pre-transform them based on the header then apply this transform?

wsnyder2 · ‎10-30-2015

Can I do this and keep my header?

_d_ · ‎10-22-2013

You can't use KV_MODE=json in props.conf because in its current state the event is not fully json. Additionally you can't extract the rest of the messages and then use the same setting on it (again, from props.conf). However, you can do it inline with spath.

Extract the whole json message in a field called, say, my_field, then use spath:

...| spath input=my_field

wsnyder2 · ‎10-30-2015

This is a bummer ... We have jason as part of an event. Would love to have field extraction happen under the hood, e.g. in props.conf or transforms.conf.
Seems like there is a way based on postings in this thread. (?)

prees · ‎12-08-2015

Was any one able to do this? as originally described, ie. without using spath?

_d_ · ‎10-22-2013

Inline in a search. You can follow the ..|spath input=my_field with any other search commands. More details and examples here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

stevennoble · ‎10-22-2013

This is something that I'd use in a search? Or can this be applied to a log source?

Is it possible to parse an extracted field as json if the whole log line isn't json?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation