Apologies for the delayed response. I used REX meanwhile to extract required fields but it was not a full proof solution because I should know fields to be extracted in advance which is not possible. This is where @yuanliu solution worked as expected.

One final clarification - This solution worked only if jvm_cmd is renamed as _raw. Is it possible to avoid renaming and worked directly on jvm_cmd?

---

One final clarification - This solution worked only if jvm_cmd is renamed as _raw. Is it possible to avoid renaming and worked directly on jvm_cmd?

---

To be honest, there were multiple times I wished that was possible but no. However, in your case, the JSON object is already in _raw. You can try your luck by simply apply | kv without any predisposition. The worst that can happen is that, in addition to possibly extracting additional fields from other JSON nodes that may contain equal-sign-separated kv pairs, some of these interfere with those pairs in jvm_cmd. So, manually test with a meaningful amount of sample. (Or ask your developer if any other fields can potentially contain equal-sign-separated pair and can potentially have overlapping keys.)

I am not sure how that's gonna solve the problem. I am trying to parse jvm_cmd value and it's not a JSON. Can you share some sample spath if I misunderstood you?

Hi @pmittal,

you can find all the information and samples in the above link.

Ciao.

Giuseppe

I tried it before posting without any success. All the example in that link has value itself as either JSON or XML whereas in this case no fixed pattern in value

Hi @pmittal,

if possible, please share a sample of your data that's also useful to create a regex.

Ciao.

Giuseppe

it's there in initial post. I need that P1=v1, p2=v2 ... key pairs extracted

Hi @pmittal,

{... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."} isn't a full log, if possible, share a full log to understand if it's a json.

Ciao.

Giuseppe

log entry is a json. i can fetch jvm_cmd parmeter as it is a JSON key. that's not the issue. I need to parse value of jvm_cmd. can't share full log due to sensitive information. I tried following Splunk query (few other variations too). It just print log/raw json fields but it won't extract fields out of jvm_cmd value

index=abc jvm_cmd=*xyz* | spath | table *

Hi @pmittal,

if you're sure that you have a json format the spath command should extract all the fields, also the one you need.

If you want to extract only one field, you could follow the 5th example of the link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

Could you mask a sample of your data to share?

Ciao.

Giuseppe

I don't have to retrieve field value. I have to retrieve key value pair located inside field value. Either you are not getting my point or I am not getting yours at all. Please see java_cmd param value. need to get K,V pair out of it