Solved: Single field needs formatting

zeroCalm · ‎07-18-2017

Hello,

I am wondering is there a way to format a single field into JSON format. I have an error alert that returns the info requested, however the field "msg" is jumbled and difficult to read. However, when I take the contents of the "msg" field and plug it into a JSON converter, it is then readable.
I am very new to this, and don't have anywhere else to go. I am just wondering is there a way to format one field.

Thank you for your patience with me.

Timothy

DalJeanis · ‎07-18-2017

Okay, we understand your confusion. Now you have to give us the actual code (the non confidential part please) and the actual message.

But first, the spath command might be what you are looking for. It turns any properly formatted JSON into splunk variables.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

View solution in original post

DalJeanis · ‎07-18-2017

Okay, we understand your confusion. Now you have to give us the actual code (the non confidential part please) and the actual message.

But first, the spath command might be what you are looking for. It turns any properly formatted JSON into splunk variables.

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

Single field needs formatting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation