Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract JSON fields in mixed data structure with props

_smp_
Builder
‎10-06-2017 09:31 PM

I have an event with a mix of JSON and non-JSON data. I have successfully extracted a Payload field with props whose value is a JSON data structure. Then using the search | spath input=Payload, the value is successfully parsed into KV pairs. But how do I move this to a config file for automatic extraction? I was looking at an EVAL- statement with the spath() function, but it's not clear what the "Y" value should be if I want to extract all of the fields, not just a specific one:

EVAL-Payload = spath(Payload, "*")

Reply

koshyk
Super Champion
‎05-21-2019 03:48 AM

Please see similar question and answer
https://answers.splunk.com/answers/117121/extract-json-data-within-the-logs-json-mixed-with.html

Reply

faguilar
Path Finder
‎05-21-2019 03:39 AM

Hi @scottprigge
I have the same issue here with a JSON payload, but I couldn't figure out how to extract the data on the JSON field to make the data search. Can you show me how you manage to get the data of the JSON payload within the props?

one of my events:

05/18/2019 00:00:00 +0200, info_search_time=1558442780.272, application=axo, createDate="01/01/2019", description=mydesc, id=123456789, results="{\"results\":{\"myDate\":\"27/04/2019\",\"myId\":\"3215AAA_24369\",\"myClientId\":\"12345\",\"myType\":\"Total\"}}"

My props.conf for this sourcetype:

[extract_json]
REGEX = \"(?<field>[^\"]+)\":\"(?<value>[^\"]+)
FORMAT= "$1"::"$2"
WRITE_META = true

I couldn't make this thing work.

Thank you!!

0 Karma
Reply

koshyk
Super Champion
‎05-21-2019 03:52 AM

@faguilar , please find the similar post below

0 Karma
Reply

faguilar
Path Finder
‎05-21-2019 06:12 AM

Thank you @koshyk!!! Sorry I didn't saw the answer

0 Karma
Reply

koshyk
Super Champion
‎05-22-2019 09:16 AM

no probs. if it has helped you, please upvote/accept. cheers

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...