Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk search- How to extract payload?

Sanjana
Explorer
‎10-06-2022 05:39 AM

Hello ,

I have splunk logger line like below:

Address: XXX HttpMethod: POST  Headers: {Ama-Internal-REST-Service=hotel/booking, , Ama-Internal-Protocol=HTTP, Message-Type=RPWREQ} Payload: {"channel":"noChannel","conversationId":"12345","version":"1.0","agent":"noAgent","date":"2023-01-01","events":[{"action":"Update","objectAfter":{"chainCode":"BLR","brandCode":"ES","propertyCode":"HYATT"},"type":"Property"}]}

I need to extract payload after  Payload:

And then stats as table where columns are all field in payload. 
for eg:

TABLE OUTPUT:

channel  conversationId  version date  chaincode  propertycode  type  

Labels (7)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 05:47 PM

The raw data is not in JSON format, so you need to extract that Payload piece first.

| rex "Payload:\s*(?<Payload>.+)"
| spath input=Payload

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2022 05:45 AM

Hi @Sanjana,

this seems to be a json log, so the spath command should extract all the fields.

In this case try something like this:

<your_search>
| spath
| table channel  conversationId  version date  chaincode  propertycode  type

I'm not sure about the field names, check them after spath execution.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...