Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract jSON formated data

sathiyasun
Explorer
‎10-31-2023 01:47 PM

below is the sample json log content the main filelds are default extracts but the nested aren't. Please help to extract the nested space separated data as fields

The one I want to extract as a separate field is the line


tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890

 

Whole log event
{ [-]
line: { [-]
@timestamp: 2023-10-31T20:36:57.092Z
class: x.x.x.x.x.Logging
exception:
line: 54
marker:
message: GET https://00.00.000.000:123456/management/health forwarded from [] by [] for unknown returned 200 in 1ms
pid: 7
severity: INFO
span: b60d05680b3cbfa7
thread: boundedElastic-9
trace: b60d05680b3cbfa7
}
source: stdout
tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890
}

Labels (2)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-31-2023 05:35 PM

As @ITWhisperer said, illustrate structured data in raw format, not with Splunk's condensation.

If you already have a top level key "tag", I suspect that you actually want the key-value pairs in that value ("service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890") extracted, not to extract that line again.  Maybe the key "tag" is not top level.  In that case, you will need to tell us what is the path leading to tag.  In all cases, raw format will help volunteers diagnose.

If "tag" is top level, you can use kv (aka extract) to extract fields like service, APPID, etc., like

 

| rename _raw AS temp, tag AS _raw
| kv
| rename _raw AS tag, temp as _raw

 

Your sample should give

APPIDapplicationclustercontainer_idfull_container_idfull_imagenameservice
1234z2z2-qa1-localasdfgh50312345678900123456789.dkr.10cal/10.20/xyzz2-qa1-local-z2-api-endpoint

Is this something you are looking for?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:16 PM

Please share the raw, unformatted event in a code block </> to preserve raw formatting.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...