Re: Adding additional field from one json field.

jankappe · ‎04-06-2017

Hi all,

I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:

"DevEUI_uplink": {
        "AckRequested": "1",
        "DevLrrCnt": "5",
        "rawMacCommands": "",
        "Late": "0",
        "ADRbit": "1",
        "LrrLON": "6.440177",
        "payload_hex": "00a0723a032805af1eb9006d4a9b000000",
        "Channel": "LC1",
        "FPort": "4",
        "DevAddr": "15293375"

It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?

EDIT: suggestions about where to learn this or specific tutorials are welcome as well.

Any help is much appreciated!

hardikJsheth · ‎04-07-2017

You can do it by adding search time extraction in props.conf.
i.e EVAL-temprature= substr(DevEUI_uplink. payload_hex,0,4)

You can also write REGEX as well. Please refer docs at
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextract...

jankappe · ‎04-07-2017

Thank you, i will look into it!

DalJeanis · ‎04-07-2017

If that solved your issue, please accept the answer. If it was helpful but did not completely solve the issue, then you can upvote it instead.

Adding additional field from one json field.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk