Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract JSON fields in mixed data structure with p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract JSON fields in mixed data structure with props
I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search | spath input=Payload, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an EVAL- statement with the spath() function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:
EVAL-Payload = spath(Payload, "*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please see similar question and answer
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @scottprigge
I have the same issue here with a JSON payload, but I couldn't figure out how to extract the data on the JSON field to make the data search. Can you show me how you manage to get the data of the JSON payload within the props?
one of my events:
05/18/2019 00:00:00 +0200, info_search_time=1558442780.272, application=axo, createDate="01/01/2019", description=mydesc, id=123456789, results="{\"results\":{\"myDate\":\"27/04/2019\",\"myId\":\"3215AAA_24369\",\"myClientId\":\"12345\",\"myType\":\"Total\"}}"
My props.conf for this sourcetype:
[extract_json]
REGEX = \"(?<field>[^\"]+)\":\"(?<value>[^\"]+)
FORMAT= "$1"::"$2"
WRITE_META = true
I couldn't make this thing work.
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@faguilar , please find the similar post below
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @koshyk!!! Sorry I didn't saw the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no probs. if it has helped you, please upvote/accept. cheers
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
