Splunk Search

Extract jSON formated data

sathiyasun
Explorer

below is the sample json log content the main filelds are default extracts but the nested aren't. Please help to extract the nested space separated data as fields

The one I want to extract as a separate field is the line


tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890

 

Whole log event
{ [-]
line: { [-]
@timestamp: 2023-10-31T20:36:57.092Z
class: x.x.x.x.x.Logging
exception:
line: 54
marker:
message: GET https://00.00.000.000:123456/management/health forwarded from [] by [] for unknown returned 200 in 1ms
pid: 7
severity: INFO
span: b60d05680b3cbfa7
thread: boundedElastic-9
trace: b60d05680b3cbfa7
}
source: stdout
tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890
}

Labels (2)
Tags (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

As @ITWhisperer said, illustrate structured data in raw format, not with Splunk's condensation.

If you already have a top level key "tag", I suspect that you actually want the key-value pairs in that value ("service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890") extracted, not to extract that line again.  Maybe the key "tag" is not top level.  In that case, you will need to tell us what is the path leading to tag.  In all cases, raw format will help volunteers diagnose.

If "tag" is top level, you can use kv (aka extract) to extract fields like service, APPID, etc., like

 

| rename _raw AS temp, tag AS _raw
| kv
| rename _raw AS tag, temp as _raw

 

Your sample should give

APPIDapplicationclustercontainer_idfull_container_idfull_imagenameservice
1234z2z2-qa1-localasdfgh50312345678900123456789.dkr.10cal/10.20/xyzz2-qa1-local-z2-api-endpoint

Is this something you are looking for?

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the raw, unformatted event in a code block </> to preserve raw formatting.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...