Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with extracting JSON fields

kranthimutyala
Path Finder
‎09-23-2022 05:06 AM

Hi Team,
I have the event in the below format and want to extract the key-value pairs as fields.

Please help extract fields from LogDate till the user.Thanks

 

 

{ [-]
   event: INFO  2022-09-23 11:49:59,033 [[MuleRuntime].uber.01: [papi-ust-email-notification-v1-uw-qa].get:\ping:Router.CPU_LITE @6c1fb7] org.mule.runtime.core.internal.processor.LoggerMessageProcessor: {
  "LogDate": "09/23/2022 16:11:13.932",
  "LogNo": "99",
  "LogLevel": "INFO",
  "LogType": "Process Level",
  "LogMessage": "Splunk anypoint log",
  "TimeTaken": "0:00:12.628",
  "ProcessName": "AnypointSplunkTest",
  "TaskName": "AnypointTest",
  "RPAEnvironment": "DEV",
  "LogId": "002308900.20250824210419999",
  "MachineName": "abc-xyz-efg",
  "User": "name.first"
}
   metaData: { [+]
   }
}

 

 

 

and this is the raw text 

{"metaData":{"sourceApiVersion":"1.0.0-SNAPSHOT","index":"aas","sourceApi":"papi-cust-email-notification-v1-uw-qa","cloudhubEnvironment":"AUTOMATION-QA","tags":""},"event":"INFO 2022-09-23 11:49:59,033 [[MuleRuntime].uber.01: [papi-cust-email-notification-v1-uw2-qa].get:\\ping:Router.CPU_LITE @6f3b7] org.mule.runtime.core.internal.processor.LoggerMessageProcessor: {\n \"LogDate\": \"09/23/2022 16:11:13.932\",\n \"LogNo\": \"99\",\n \"LogLevel\": \"INFO\",\n \"LogType\": \"Process Level\",\n \"LogMessage\": \"Splunk anypoint log\",\n \"TimeTaken\": \"0:00:12.628\",\n \"ProcessName\": \"AnypointSplunkTest\",\n \"TaskName\": \"AnypointTest\",\n \"RPAEnvironment\": \"DEV\",\n \"LogId\": \"002308900.20250824210419999\",\n \"MachineName\": \"abc-xyz-wd\",\n \"User\": \"name.first\"\n}"}

Labels (3)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-23-2022 11:07 AM

@kranthimutyala When you say "unsuccessful", you need to illustrate the output and explain why you consider it unsuccessful. (Perhaps you could have explained this in the first problem statement.)

As @gcusello said, your data is compliant JSON, so Splunk should already have given a field "event" - which itself is a combination of free text with an embedded compliant JSON object like the following

INFO 2022-09-23 11:49:59,033 [[MuleRuntime].uber.01: [papi-cust-email-notification-v1-uw2-qa].get:\ping:Router.CPU_LITE @6f3b7] org.mule.runtime.core.internal.processor.LoggerMessageProcessor: { "LogDate": "09/23/2022 16:11:13.932", "LogNo": "99", "LogLevel": "INFO", "LogType": "Process Level", "LogMessage": "Splunk anypoint log", "TimeTaken": "0:00:12.628", "ProcessName": "AnypointSplunkTest", "TaskName": "AnypointTest", "RPAEnvironment": "DEV", "LogId": "002308900.20250824210419999", "MachineName": "abc-xyz-wd", "User": "name.first" }

Here, you just need to extract that JSON object, then apply spath.

 

| eval LOG = replace(event, "^[^{]+", "")
| spath input=LOG

 

Your sample data now gives

LOGLogDateLogIdLogLevelLogMessageLogNoLogTypeMachineNameProcessNameRPAEnvironmentTaskNameTimeTaken 
{ "LogDate": "09/23/2022 16:11:13.932", "LogNo": "99", "LogLevel": "INFO", "LogType": "Process Level", "LogMessage": "Splunk anypoint log", "TimeTaken": "0:00:12.628", "ProcessName": "AnypointSplunkTest", "TaskName": "AnypointTest", "RPAEnvironment": "DEV", "LogId": "002308900.20250824210419999", "MachineName": "abc-xyz-wd", "User": "name.first" }09/23/2022 16:11:13.932002308900.20250824210419999INFOSplunk anypoint log99Process Levelabc-xyz-wdAnypointSplunkTestDEVAnypointTest0If:00:12.628name.first
If Splunk doesn't give you event field, apply spath first to extract event.

 

| spath
| eval LOG = replace(event, "^[^{]+", "")
| spath input=LOG​

 

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎09-23-2022 11:37 AM

This should work:

| rex "(?<_raw>\"LogDate[^\}]*)"
| rex field=_raw mode=sed "s/(\"|\\\\n)//g"
| extract pairdelim="," kvdelim=":"
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-23-2022 06:58 AM

Hi @kranthimutyala,

this seems to be a json log, did you tried using spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath)?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kranthimutyala
Path Finder
‎09-23-2022 07:31 AM

Hi @gcusello I tried Spath to extract them but unsuccessful. 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-23-2022 11:07 AM

@kranthimutyala When you say "unsuccessful", you need to illustrate the output and explain why you consider it unsuccessful. (Perhaps you could have explained this in the first problem statement.)

As @gcusello said, your data is compliant JSON, so Splunk should already have given a field "event" - which itself is a combination of free text with an embedded compliant JSON object like the following

INFO 2022-09-23 11:49:59,033 [[MuleRuntime].uber.01: [papi-cust-email-notification-v1-uw2-qa].get:\ping:Router.CPU_LITE @6f3b7] org.mule.runtime.core.internal.processor.LoggerMessageProcessor: { "LogDate": "09/23/2022 16:11:13.932", "LogNo": "99", "LogLevel": "INFO", "LogType": "Process Level", "LogMessage": "Splunk anypoint log", "TimeTaken": "0:00:12.628", "ProcessName": "AnypointSplunkTest", "TaskName": "AnypointTest", "RPAEnvironment": "DEV", "LogId": "002308900.20250824210419999", "MachineName": "abc-xyz-wd", "User": "name.first" }

Here, you just need to extract that JSON object, then apply spath.

 

| eval LOG = replace(event, "^[^{]+", "")
| spath input=LOG

 

Your sample data now gives

LOGLogDateLogIdLogLevelLogMessageLogNoLogTypeMachineNameProcessNameRPAEnvironmentTaskNameTimeTaken 
{ "LogDate": "09/23/2022 16:11:13.932", "LogNo": "99", "LogLevel": "INFO", "LogType": "Process Level", "LogMessage": "Splunk anypoint log", "TimeTaken": "0:00:12.628", "ProcessName": "AnypointSplunkTest", "TaskName": "AnypointTest", "RPAEnvironment": "DEV", "LogId": "002308900.20250824210419999", "MachineName": "abc-xyz-wd", "User": "name.first" }09/23/2022 16:11:13.932002308900.20250824210419999INFOSplunk anypoint log99Process Levelabc-xyz-wdAnypointSplunkTestDEVAnypointTest0If:00:12.628name.first
If Splunk doesn't give you event field, apply spath first to extract event.

 

| spath
| eval LOG = replace(event, "^[^{]+", "")
| spath input=LOG​

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-23-2022 08:01 AM

Hi @kranthimutyala,

it's strange because it seems to be a json format.

Anyway, in this case you have some regex extraction like the following:

\"LogDate\":\s+\"(?<LogDate>[^\"]+)

that you can test at https://regex101.com/r/IzcMqn/1 

and that you can replicate for all your fields.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...