Splunk search- How to extract payload?

Sanjana · ‎10-06-2022

Hello ,

I have splunk logger line like below:

Address: XXX HttpMethod: POST Headers: {Ama-Internal-REST-Service=hotel/booking, , Ama-Internal-Protocol=HTTP, Message-Type=RPWREQ} Payload: {"channel":"noChannel","conversationId":"12345","version":"1.0","agent":"noAgent","date":"2023-01-01","events":[{"action":"Update","objectAfter":{"chainCode":"BLR","brandCode":"ES","propertyCode":"HYATT"},"type":"Property"}]}

I need to extract payload after Payload:

And then stats as table where columns are all field in payload.
for eg:

TABLE OUTPUT:

channel conversationId version date chaincode propertycode type

yuanliu · ‎10-06-2022

The raw data is not in JSON format, so you need to extract that Payload piece first.

| rex "Payload:\s*(?<Payload>.+)"
| spath input=Payload

gcusello · ‎10-06-2022

Hi @Sanjana,

this seems to be a json log, so the spath command should extract all the fields.

In this case try something like this:

<your_search>
| spath
| table channel  conversationId  version date  chaincode  propertycode  type

I'm not sure about the field names, check them after spath execution.

Ciao.

Giuseppe

Splunk search- How to extract payload?

count

fields

regex

rex

search job inspector

stats

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!