Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parse JSON string with different structures

ashodha
Engager
‎01-15-2021 12:39 PM

We have Multiple apps that generate logs and there format is little different . 

Splunk currently just shows that field as just a string ex: 

{

id:1,

log:  " {k1:v1,K2:v2}"

}

The K1 and K2 are not searchable.

log can have different format messages but we want all of them to be searchable. 

Thanks

 

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 01:38 PM 
index=_internal | head 1 | fields _raw
| eval _raw="{\"id\":1,\"log\":\"\\\"{k1:v1,K2:v2}\\\"\"}"
| eval data=_raw
| rename COMMENT as "this is sample"
| spath input=data
| rex field=log mode=sed "s/(?<key>\w+):\s*(?<value>\w+)/\"\1\":\"\2\"/g s/\"(.*)\"/\1/"
| spath input=log
| search k1="v1"

It might be a little annoying.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-15-2021 12:44 PM

Hi @ashodha,

I think you see the "log" field, you can use spath like below;

| spath input=log
| search k1="v1" K2="v2"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top