Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract JSON fields in mixed data structure with p...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract JSON fields in mixed data structure with props
_smp_
Builder
10-06-2017
09:31 PM
I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search | spath input=Payload, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an EVAL- statement with the spath() function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:
EVAL-Payload = spath(Payload, "*")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-21-2019
03:48 AM
Please see similar question and answer
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
faguilar
Path Finder
05-21-2019
03:39 AM
Hi @scottprigge
I have the same issue here with a JSON payload, but I couldn't figure out how to extract the data on the JSON field to make the data search. Can you show me how you manage to get the data of the JSON payload within the props?
one of my events:
05/18/2019 00:00:00 +0200, info_search_time=1558442780.272, application=axo, createDate="01/01/2019", description=mydesc, id=123456789, results="{\"results\":{\"myDate\":\"27/04/2019\",\"myId\":\"3215AAA_24369\",\"myClientId\":\"12345\",\"myType\":\"Total\"}}"
My props.conf for this sourcetype:
[extract_json]
REGEX = \"(?<field>[^\"]+)\":\"(?<value>[^\"]+)
FORMAT= "$1"::"$2"
WRITE_META = true
I couldn't make this thing work.
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-21-2019
03:52 AM
@faguilar , please find the similar post below
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
faguilar
Path Finder
05-21-2019
06:12 AM
Thank you @koshyk!!! Sorry I didn't saw the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
05-22-2019
09:16 AM
no probs. if it has helped you, please upvote/accept. cheers
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
