Re: Splunk search- How to extract payload?

Sanjana · ‎10-06-2022

Hello ,

I have splunk logger line like below:

Address: XXX HttpMethod: POST Headers: {Ama-Internal-REST-Service=hotel/booking, , Ama-Internal-Protocol=HTTP, Message-Type=RPWREQ} Payload: {"channel":"noChannel","conversationId":"12345","version":"1.0","agent":"noAgent","date":"2023-01-01","events":[{"action":"Update","objectAfter":{"chainCode":"BLR","brandCode":"ES","propertyCode":"HYATT"},"type":"Property"}]}

I need to extract payload after Payload:

And then stats as table where columns are all field in payload.
for eg:

TABLE OUTPUT:

channel conversationId version date chaincode propertycode type

yuanliu · ‎10-06-2022

The raw data is not in JSON format, so you need to extract that Payload piece first.

| rex "Payload:\s*(?<Payload>.+)"
| spath input=Payload

gcusello · ‎10-06-2022

Hi @Sanjana,

this seems to be a json log, so the spath command should extract all the fields.

In this case try something like this:

<your_search>
| spath
| table channel  conversationId  version date  chaincode  propertycode  type

I'm not sure about the field names, check them after spath execution.

Ciao.

Giuseppe

Splunk search- How to extract payload?

count

fields

regex

rex

search job inspector

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Splunk search- How to extract payload?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.