Splunk Parsing - How to do it

deepak312 · ‎08-15-2019

I have below json that is printed in logs,

{
  "timestamp": "2019-08-15T07:30:10,472Z",
  "level": "INFO",
  "thread": "xyz.default-dispatcher-27",
  "message": "Some message",
  "logger": "com.abc.xyz",
  "run_number": 1,
  "id": "123",
  "type_id": "Test",
  "roll_number": "12889",
  "status": "Fail",
  "comments": "Result failed",
  "new_map": {
    "8890": {
      "number": "null"
    }
  },
  "old_map": {
    "8890": {
      "number": "86"
    }
  },
  "condition_id": "65",
  "created_date": "2019-07-24",
  "modified_date": "2019-07-25"
}

I need to create a table to print id, roll_number, new_map and old_map. Tried using spath but no luck. Any help would be appreciated.

apcsplunk · ‎08-15-2019

It auto-extracted for me and i just had to type "| table id, roll_number, new_map.8890.number, old_map.8890.number"
May be you can clarify more on what should be the expected result

Splunk Parsing - How to do it

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation

Splunk Parsing - How to do it

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026