Splunk Search

Parse JSON string with different structures

ashodha
Engager

We have Multiple apps that generate logs and there format is little different . 

Splunk currently just shows that field as just a string ex: 

{

id:1,

log:  " {k1:v1,K2:v2}"

}

The K1 and K2 are not searchable.

log can have different format messages but we want all of them to be searchable. 

Thanks

 

Labels (2)
0 Karma

to4kawa
Ultra Champion
index=_internal | head 1 | fields _raw
| eval _raw="{\"id\":1,\"log\":\"\\\"{k1:v1,K2:v2}\\\"\"}"
| eval data=_raw
| rename COMMENT as "this is sample"
| spath input=data
| rex field=log mode=sed "s/(?<key>\w+):\s*(?<value>\w+)/\"\1\":\"\2\"/g s/\"(.*)\"/\1/"
| spath input=log
| search k1="v1"

It might be a little annoying.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ashodha,

I think you see the "log" field, you can use spath like below;

| spath input=log
| search k1="v1" K2="v2"

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...