- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding additional field from one json field.
Hi all,
I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:
"DevEUI_uplink": {
"AckRequested": "1",
"DevLrrCnt": "5",
"rawMacCommands": "",
"Late": "0",
"ADRbit": "1",
"LrrLON": "6.440177",
"payload_hex": "00a0723a032805af1eb9006d4a9b000000",
"Channel": "LC1",
"FPort": "4",
"DevAddr": "15293375"
It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?
EDIT: suggestions about where to learn this or specific tutorials are welcome as well.
Any help is much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it by adding search time extraction in props.conf.
i.e EVAL-temprature= substr(DevEUI_uplink. payload_hex,0,4)
You can also write REGEX as well. Please refer docs at
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextract...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, i will look into it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that solved your issue, please accept the answer. If it was helpful but did not completely solve the issue, then you can upvote it instead.
