Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Adding additional field from one json field.

jankappe
Explorer
‎04-06-2017 11:54 PM

Hi all,

I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:

"DevEUI_uplink": {
        "AckRequested": "1",
        "DevLrrCnt": "5",
        "rawMacCommands": "",
        "Late": "0",
        "ADRbit": "1",
        "LrrLON": "6.440177",
        "payload_hex": "00a0723a032805af1eb9006d4a9b000000",
        "Channel": "LC1",
        "FPort": "4",
        "DevAddr": "15293375"

It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?

EDIT: suggestions about where to learn this or specific tutorials are welcome as well.

Any help is much appreciated!

0 Karma
Reply

hardikJsheth
Motivator
‎04-07-2017 05:28 AM

You can do it by adding search time extraction in props.conf.
i.e EVAL-temprature= substr(DevEUI_uplink. payload_hex,0,4)

You can also write REGEX as well. Please refer docs at
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply

jankappe
Explorer
‎04-07-2017 05:33 AM

Thank you, i will look into it!

0 Karma
Reply

DalJeanis
Legend
‎04-07-2017 08:48 AM

If that solved your issue, please accept the answer. If it was helpful but did not completely solve the issue, then you can upvote it instead.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...