Splunk Search

How to turn off parsing windows event json fields

angshul
Path Finder

I am using Splunk universal forwarder to forward events from windows event log to Splunk.
The event has data in JSON format which gets posted in Splunk as Message= e.g.

LogName=CustomLog
SourceName=ECEventLogProvider
EventCode=256
EventType=4
Type=Information
ComputerName=CHECHI12
TaskCategory=Network Events
OpCode=None
RecordNumber=133
Keywords=Classic
Message={
    "description" : "SSample text",
    "event_id" : "47",
    "id" : "22",
    "logtype" : "Error",
    "msgnum" : "0",
    "severity" : "Reserved",
    "source" : "Sample source",
    "status" : "New",
    "system_state" : "S4/S5",
    "timestamp" : "00-01-01 00:00:00",
    "timestamp_accuracy" : "Approximate"
}

I am thinking of parsing the json referred by Message in search query by using spath:

"logname=customlog" | spath input=Message| timechart count by event_id

The above search results in duplicate event_id values (e.g. "\"35\",", 35, "\"47\",", 47 etc.) since Splunk by default parses the data and spath parses it again.
How can I discard the Splunk parsed data and only get stats for the parsing specified in search?

0 Karma
1 Solution

angshul
Path Finder

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id

View solution in original post

0 Karma

angshul
Path Finder

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id
0 Karma

woodcock
Esteemed Legend

OK, come on back and click Accept on your answer to close the question.

0 Karma

woodcock
Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog"
| spath input=Message
| timechart count(SomeFieldNameThatIsOnlyCreatedBySpathHere) BY event_id
0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...