We have tried to do using the spath, but I did not get the expected response as our log files are not json totally. Those are text log files which contains the json objects in middle somewhere.. please let me know if there is another way where we can extract the json object.

If you have already extracted your fields then simply pass the relevant JSON field to spath like this:

| spath input=YOURFIELDNAME

If you haven't manage to extract the JSON field just yet and your events look like the one you posted above, then try the following:

yoursearch
| rex field=_raw "(?msi)(?<json_field>\{.+\}$)"
| spath input=json_field

That will just extract just the json bits from your event.

This is good if you're typing manual search results, but is it possible to auto-extract KV's from JSON once you've cleanly extracted the JSON into it's own field?

The raw events aren't ONLY JSON, and I want auto-extractions to occur against a particular field in all search cases, not only those with the spath command piped.

Am I dreaming?

thank you javiergn...your second search worked for my scenario..been trying since few hours ...

Thanks that helped.. that is what I was looking for. Thank you for a quick reply.