Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction json format

splunklearner
Path Finder
‎11-11-2024 05:18 AM

Please help me to get these logs in a way that it provides all the fields please...

Nov 9 17:34:28 128.160.82.28 [local0.warning] <132>1 2024-11-09T17:34:28.436542Z AviVantage v-epswafhic2-wdc.hc.cloud.uk.hc-443 NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-4583863f-48a3-42b9-8115-252a7fb487f5","report_timestamp":"2024-11-09T17:34:28.436542Z","service_engine":"GB-DRN-AB-Tier2-se-vxeuz","vcpu_id":0,"log_id":10181,"client_ip":"128.12.73.92","client_src_port":44908,"client_dest_port":443,"client_rtt":1,"http_version":"1.1","method":"HEAD","uri_path":"/path/to/monitor/page/","host":"udg1704n01.hc.cloud.uk.hc","response_content_type":"text/html","request_length":93,"response_length":94,"response_code":400,"response_time_first_byte":1,"response_time_last_byte":1,"compression_percentage":0,"compression":"","client_insights":"","request_headers":3,"response_headers":12,"request_state":"AVI_HTTP_REQUEST_STATE_READ_CLIENT_REQ_HDR","significant_log":["ADF_HTTP_BAD_REQUEST_PLAIN_HTTP_REQUEST_SENT_ON_HTTPS_PORT","ADF_RESPONSE_CODE_4XX"],"vs_ip":"128.160.71.14","request_id":"61e-RDl6-OZgZ","max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":1,"source_ip":"128.12.73.92","vs_name":"v-epswafhic2-wdc.hc.cloud.uk.hc-443","tenant_name":"admin"}

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 06:07 AM 
| rex "(?<json>\{.*\})"
| spath input=json

View solution in original post

Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-12-2024 12:55 AM

Appreciated @PickleRick and @ITWhisperer . Please answer my last question

| rex "(?<json>\{.*\})"
| spath input=json​

so the above command works fine right for mixed pattern (json and xml) for my example? currently and for upcoming events? is there any other way to hide this query apart from macro?

0 Karma
Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-11-2024 07:15 AM

We are having 3 indexers with 2 cluster managers and 3 SH with one Deployer. its multi site cluster. Please help me to configure this setting before on-boarding rather than spath command? Please tell me in detail how to perform?

0 Karma
Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-11-2024 05:44 AM

Hi, 

please check now

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 06:07 AM 
| rex "(?<json>\{.*\})"
| spath input=json
Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-11-2024 10:41 AM

 

| rex "(?<json>\{.*\})"
| spath input=json​

so the above command works fine right for mixed pattern (json and xml) for my example? currently and for upcoming events? is there any other way to hide this query apart from macro?

0 Karma
Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-11-2024 06:18 AM

Thank you. It worked. One small doubt, will it be worked for upcoming new events also right? Is there any way to hide this in search rather than creating macro? 

and can we do it during on-boarding itself during index or search time extraction? Please help me

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-11-2024 10:00 AM

Unfortunately, for now Splunk cannot perform a structured data extraction if the whole event is not a structured data (in other words - if you have a json or XML data which has some header, like in your example, Splunk cannot automatically extract data from it).

There is an idea about it at https://ideas.splunk.com/ideas/EID-I-208 - while it's already as "Future Prospect", you can give your vote to show your support for it.

At the moment the only thing you could do would be to cut the whole header away with SEDCMD during ingestion so that all that's left is a valid json structure. But that's not always what you want.

Reply
Solved! Jump to solution

splunklearner
Path Finder
‎11-11-2024 10:04 AM

Hi @PickleRick ,

Then what is use of KV_MODE = json that needs to be given in props.conf (saw somewhere a while ago).

Please let me understand whether my data contains both json and xml or only json? Because when i am using spath command provided by @ITWhisperer it extracted the fields... is it wrong? (if json and xml both present in my example event)

any idea on this?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-11-2024 10:19 AM

I mean that KV_MODE=something works only when the _whole event_ is just a blob of structured data. Without any additional parts to it.

So KV_MODE=json will work if your whole even consists of

{"my":"data","is":"json"}

but will not work if it's

<144>2014-11-11 11:23 Some lousy[24]: pseudo-syslog header with {"json":"data","further":"down","the":street"}
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 05:35 AM

The sample event that you posted does not contain valid json. I presume this is a copy/paste error or other typo. Please repost the raw data from your event (anonymised as required) in a code block (using the </> button above) to preserve formatting details.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...