Splunk Parsing - How to do it

deepak312 · ‎08-15-2019

I have below json that is printed in logs,

{
  "timestamp": "2019-08-15T07:30:10,472Z",
  "level": "INFO",
  "thread": "xyz.default-dispatcher-27",
  "message": "Some message",
  "logger": "com.abc.xyz",
  "run_number": 1,
  "id": "123",
  "type_id": "Test",
  "roll_number": "12889",
  "status": "Fail",
  "comments": "Result failed",
  "new_map": {
    "8890": {
      "number": "null"
    }
  },
  "old_map": {
    "8890": {
      "number": "86"
    }
  },
  "condition_id": "65",
  "created_date": "2019-07-24",
  "modified_date": "2019-07-25"
}

I need to create a table to print id, roll_number, new_map and old_map. Tried using spath but no luck. Any help would be appreciated.

apcsplunk · ‎08-15-2019

It auto-extracted for me and i just had to type "| table id, roll_number, new_map.8890.number, old_map.8890.number"
May be you can clarify more on what should be the expected result

Splunk Parsing - How to do it

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

Splunk Parsing - How to do it

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...