Parse JSON string with different structures

ashodha · ‎01-15-2021

We have Multiple apps that generate logs and there format is little different .

Splunk currently just shows that field as just a string ex:

{

id:1,

log: " {k1:v1,K2:v2}"

}

The K1 and K2 are not searchable.

log can have different format messages but we want all of them to be searchable.

Thanks

to4kawa · ‎01-15-2021

index=_internal | head 1 | fields _raw
| eval _raw="{\"id\":1,\"log\":\"\\\"{k1:v1,K2:v2}\\\"\"}"
| eval data=_raw
| rename COMMENT as "this is sample"
| spath input=data
| rex field=log mode=sed "s/(?<key>\w+):\s*(?<value>\w+)/\"\1\":\"\2\"/g s/\"(.*)\"/\1/"
| spath input=log
| search k1="v1"

It might be a little annoying.

scelikok · ‎01-15-2021

Hi @ashodha,

I think you see the "log" field, you can use spath like below;

| spath input=log
| search k1="v1" K2="v2"

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Parse JSON string with different structures

field extraction

subsearch

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Parse JSON string with different structures

field extraction

subsearch

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk