How to extract fields from JSON logs without extra...

jsuryaprakash · ‎06-15-2017

Hi Ninjas, I am trying to extract fields from json logs but i have time stamp and some text data in front of array so i can't extract by using key value pair. Can anyone help me?

Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE {"addresses": {"local_ipv4": "99.9.9.999", "public_ipv4": "00.000.111.222"}, "cpu_info": {"idle": 00.1}, "date": "2017-06-12 23:59:01.291710", "disk_space": {"disk": "/dev/xvda1", "free": "54781", "pct_used": "6", "total": "60337"}, "host_type": "test", "hostname": "AM1-JJ-Arod-1", "memory_stats": {"available": 3483, "cached": 1747, "free": 1512, "percent": 7.3, "total": 3759, "used": "2247"}

woodcock · ‎06-15-2017

You need the spath command:

http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Spath

ekcsoc · ‎04-13-2020

what if the field is mix of json and some other type. is it possible to parse the field at index time or search time without using spath ?

my dates is some what like this:

ssoId:023serwerwef32, RBA Request :

key=value&key=value&&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value

,RBA Response :

{"key":value","key":value","key":value","key":value","key":value","key":value","key":value","key":value".........}

jsuryaprakash · ‎06-15-2017

I want to filter "Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE " out so that i can extract all fields in key value pair.
May I know the exact way how I can do it?

How to extract fields from JSON logs without extracting by key-value pair?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability