Solved: Single field needs formatting

zeroCalm · ‎07-18-2017

Hello,

I am wondering is there a way to format a single field into JSON format. I have an error alert that returns the info requested, however the field "msg" is jumbled and difficult to read. However, when I take the contents of the "msg" field and plug it into a JSON converter, it is then readable.
I am very new to this, and don't have anywhere else to go. I am just wondering is there a way to format one field.

Thank you for your patience with me.

Timothy

DalJeanis · ‎07-18-2017

Okay, we understand your confusion. Now you have to give us the actual code (the non confidential part please) and the actual message.

But first, the spath command might be what you are looking for. It turns any properly formatted JSON into splunk variables.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

View solution in original post

DalJeanis · ‎07-18-2017

Okay, we understand your confusion. Now you have to give us the actual code (the non confidential part please) and the actual message.

But first, the spath command might be what you are looking for. It turns any properly formatted JSON into splunk variables.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

Single field needs formatting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation