Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with Field Extraction from Complex json files

SplunkDash
Motivator
‎08-22-2022 07:37 PM

Hello,

is there any way we can extract fields from this sample data, any help will be highly appreciated.

Thank you!

 

2022-07-22 17:21:50 - { "type" : "core", "r/o" : false, "booting" : true, "version" : "7.2.9.GA", "user" : "anonymous", "domainUUID" : null, "access" : null, "remote-address" : null, "success" : true, "ops" : [ { "operation" : "add", "address" : [{ "system-property" : "dstest.tx.node.id" }], "value" : "vp2mbg_c001_r3050" }, { "operation" : "add", "address" : [{ "system-property" : "jdk.tls.client.protocols" }], "value" : "TLSv1.2" }, { "operation" : "add", "address" : [{ "system-property" : "org.apache.coyote.ajp.DEFAULT_CONNECTION_TIMEOUT" }], "value" : "600000" }, { "operation" : "add", "address" : [{ "system-property" : "org.apache.coyote.ajp.MAX_PACKET_SIZE" }], "value" : "65536" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.trustStore" }], "value" : "/opt/app/dstest/ssl/cacerts.jks" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.trustStorePassword" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::truststorepass::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.keyStore" }], "value" : "/opt/app/DSTest/ssl/tccs-proddr.keystore" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.keyStorePassword" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::certpass::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "tcp.allow.dev.esa.token" }], "value" : "true" }, { "operation" : "add", "address" : [{ "system-property" : "tccs.allow.dev.esa.token" }], "value" : "true" }, { "operation" : "add", "address" : [{ "system-property" : "CLAS.ENVIRONMENT" }], "value" : "prod" }, { "operation" : "add", "address" : [{ "system-property" : "TCCS.ENVIRONMENT" }], "value" : "prod" }, { "operation" : "add", "address" : [{ "system-property" : "agent.user" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::agentuser::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "agent.password" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::agentpass::1}" } }, { "address" : [{ "path" : "DSTest.server.ADCredStore.dir" }], "operation" : "add", "path" : "/opt/app/DSTest/profiles/instances/tccs/ADCredStore" }, { "address" : [{ "path" : "DSTest.ssl" }], "operation" : "add", "path" : "/opt/app/DSTest/ssl" }, { "address" : [{ "core-service" : "vault" }], "operation" : "add", "vault-options" : [ { "KEYSTORE_URL" : "/opt/app/DSTest/profiles/instances/tccs/configuration/eap7vault.keystore" }, { "KEYSTORE_PASSWORD" : "MASK-0dF/GimhesRBlxgjOeSNqf" }, { "KEYSTORE_ALIAS" : "vault" }, { "SALT" : "147asa2900" }, { "ITERATION_COUNT" : "8" }, { "ENC_FILE_DIR" : "/opt/app/DSTest/profiles/instances/tccs/configuration/" } ] }] }

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 09:50 PM

If the part following the date/time is good JSON, then you can do this - this search uses your data

| makeresults
| eval _raw="2022-07-22 17:21:50 - { \"type\" : \"core\", \"r/o\" : false, \"booting\" : true, \"version\" : \"7.2.9.GA\", \"user\" : \"anonymous\", \"domainUUID\" : null, \"access\" : null, \"remote-address\" : null, \"success\" : true, \"ops\" : [ { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"dstest.tx.node.id\" }], \"value\" : \"vp2mbg_c001_r3050\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"jdk.tls.client.protocols\" }], \"value\" : \"TLSv1.2\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"org.apache.coyote.ajp.DEFAULT_CONNECTION_TIMEOUT\" }], \"value\" : \"600000\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"org.apache.coyote.ajp.MAX_PACKET_SIZE\" }], \"value\" : \"65536\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"javax.net.ssl.trustStore\" }], \"value\" : \"/opt/app/dstest/ssl/cacerts.jks\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"javax.net.ssl.trustStorePassword\" }], \"value\" : { \"EXPRESSION_VALUE\" : \"${VAULT::vb::truststorepass::1}\" } }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"javax.net.ssl.keyStore\" }], \"value\" : \"/opt/app/DSTest/ssl/tccs-proddr.keystore\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"javax.net.ssl.keyStorePassword\" }], \"value\" : { \"EXPRESSION_VALUE\" : \"${VAULT::vb::certpass::1}\" } }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"tcp.allow.dev.esa.token\" }], \"value\" : \"true\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"tccs.allow.dev.esa.token\" }], \"value\" : \"true\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"CLAS.ENVIRONMENT\" }], \"value\" : \"prod\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"TCCS.ENVIRONMENT\" }], \"value\" : \"prod\" }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"agent.user\" }], \"value\" : { \"EXPRESSION_VALUE\" : \"${VAULT::vb::agentuser::1}\" } }, { \"operation\" : \"add\", \"address\" : [{ \"system-property\" : \"agent.password\" }], \"value\" : { \"EXPRESSION_VALUE\" : \"${VAULT::vb::agentpass::1}\" } }, { \"address\" : [{ \"path\" : \"DSTest.server.ADCredStore.dir\" }], \"operation\" : \"add\", \"path\" : \"/opt/app/DSTest/profiles/instances/tccs/ADCredStore\" }, { \"address\" : [{ \"path\" : \"DSTest.ssl\" }], \"operation\" : \"add\", \"path\" : \"/opt/app/DSTest/ssl\" }, { \"address\" : [{ \"core-service\" : \"vault\" }], \"operation\" : \"add\", \"vault-options\" : [ { \"KEYSTORE_URL\" : \"/opt/app/DSTest/profiles/instances/tccs/configuration/eap7vault.keystore\" }, { \"KEYSTORE_PASSWORD\" : \"MASK-0dF/GimhesRBlxgjOeSNqf\" }, { \"KEYSTORE_ALIAS\" : \"vault\" }, { \"SALT\" : \"147asa2900\" }, { \"ITERATION_COUNT\" : \"8\" }, { \"ENC_FILE_DIR\" : \"/opt/app/DSTest/profiles/instances/tccs/configuration/\" } ] }] }"
| rex "[^\{]*(?<json>.*)"
| spath input=json

It uses rex to make a field called json with the raw JSON in it, then spath to parse the JSON.

 

Reply

SplunkDash
Motivator
‎08-22-2022 09:53 PM

Hello,

Thank you so much for your quick response. Is there any way I can extract fields using props.conf /transforms.conf files? 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 10:03 PM

Yes, you can but I am not sure of the 'correct' way to do it

See https://community.splunk.com/t5/Splunk-Search/How-to-use-spath-command-in-props-conf-or-transforms-c...

where someone else has a similar issue or maybe these legends can help @ITWhisperer @richgalloway @PickleRick @yuanliu 

Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-22-2022 11:43 PM

I do not believe that you can combine the two steps into props.conf.  You best bet is to ask the developer who wrote the log files to change the format to pure, conformant JSON, e.g., 

{"timestamp" : "2022-07-22 17:21:50", "type" : "core", "r/o" : false, "booting" : true, "version" : "7.2.9.GA", "user" : "anonymous", "domainUUID" : null, "access" : null, "remote-address" : null, "success" : true, "ops" : [ { "operation" : "add", "address" : [{ "system-property" : "dstest.tx.node.id" }], "value" : "vp2mbg_c001_r3050" }, { "operation" : "add", "address" : [{ "system-property" : "jdk.tls.client.protocols" }], "value" : "TLSv1.2" }, { "operation" : "add", "address" : [{ "system-property" : "org.apache.coyote.ajp.DEFAULT_CONNECTION_TIMEOUT" }], "value" : "600000" }, { "operation" : "add", "address" : [{ "system-property" : "org.apache.coyote.ajp.MAX_PACKET_SIZE" }], "value" : "65536" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.trustStore" }], "value" : "/opt/app/dstest/ssl/cacerts.jks" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.trustStorePassword" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::truststorepass::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.keyStore" }], "value" : "/opt/app/DSTest/ssl/tccs-proddr.keystore" }, { "operation" : "add", "address" : [{ "system-property" : "javax.net.ssl.keyStorePassword" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::certpass::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "tcp.allow.dev.esa.token" }], "value" : "true" }, { "operation" : "add", "address" : [{ "system-property" : "tccs.allow.dev.esa.token" }], "value" : "true" }, { "operation" : "add", "address" : [{ "system-property" : "CLAS.ENVIRONMENT" }], "value" : "prod" }, { "operation" : "add", "address" : [{ "system-property" : "TCCS.ENVIRONMENT" }], "value" : "prod" }, { "operation" : "add", "address" : [{ "system-property" : "agent.user" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::agentuser::1}" } }, { "operation" : "add", "address" : [{ "system-property" : "agent.password" }], "value" : { "EXPRESSION_VALUE" : "${VAULT::vb::agentpass::1}" } }, { "address" : [{ "path" : "DSTest.server.ADCredStore.dir" }], "operation" : "add", "path" : "/opt/app/DSTest/profiles/instances/tccs/ADCredStore" }, { "address" : [{ "path" : "DSTest.ssl" }], "operation" : "add", "path" : "/opt/app/DSTest/ssl" }, { "address" : [{ "core-service" : "vault" }], "operation" : "add", "vault-options" : [ { "KEYSTORE_URL" : "/opt/app/DSTest/profiles/instances/tccs/configuration/eap7vault.keystore" }, { "KEYSTORE_PASSWORD" : "MASK-0dF/GimhesRBlxgjOeSNqf" }, { "KEYSTORE_ALIAS" : "vault" }, { "SALT" : "147asa2900" }, { "ITERATION_COUNT" : "8" }, { "ENC_FILE_DIR" : "/opt/app/DSTest/profiles/instances/tccs/configuration/" } ] }] }
​

If they can do this, Splunk will automatically extract fields if you tell it to use JSON data type (INDEXED_EXTRACTIONS = json), or you can ask it not to use JSON type, but to extract JSON data at search time (KV_MODE=json)

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-23-2022 12:34 AM

At the moment, at least that's what I found during my research (I needed that as well), you can't tell Splunk to use only part of the message for structured extractions. It's a shame, really, because it's often that the events do contain some part of non-structured (or "human-structured") header and then a json or xml part at the end.

Unfortunately, the only thing you can do to automatically extract the json/xml/whatever part is use transform to cut the non-structured part from the event. Unfortunately, doing so you're obviously losing data from the cut part. So there's no good solution for that (short of extracting that data first into indexed fields but that's another story and very "non-splunky" way)

Reply

SplunkDash
Motivator
‎08-22-2022 10:11 PM

Thank you so much again. But how can I reach out to them?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...