Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract JSON fields in mixed data structure with p...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract JSON fields in mixed data structure with props
_smp_
Builder
10-06-2017
09:31 PM
I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search | spath input=Payload, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an EVAL- statement with the spath() function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:
EVAL-Payload = spath(Payload, "*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-21-2019
03:48 AM
Please see similar question and answer
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
faguilar
Path Finder
05-21-2019
03:39 AM
Hi @scottprigge
I have the same issue here with a JSON payload, but I couldn't figure out how to extract the data on the JSON field to make the data search. Can you show me how you manage to get the data of the JSON payload within the props?
one of my events:
05/18/2019 00:00:00 +0200, info_search_time=1558442780.272, application=axo, createDate="01/01/2019", description=mydesc, id=123456789, results="{\"results\":{\"myDate\":\"27/04/2019\",\"myId\":\"3215AAA_24369\",\"myClientId\":\"12345\",\"myType\":\"Total\"}}"
My props.conf for this sourcetype:
[extract_json]
REGEX = \"(?<field>[^\"]+)\":\"(?<value>[^\"]+)
FORMAT= "$1"::"$2"
WRITE_META = true
I couldn't make this thing work.
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-21-2019
03:52 AM
@faguilar , please find the similar post below
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
faguilar
Path Finder
05-21-2019
06:12 AM
Thank you @koshyk!!! Sorry I didn't saw the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-22-2019
09:16 AM
no probs. if it has helped you, please upvote/accept. cheers
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
