Splunk Search

Why am I unable to extract all fields from a JSON event?

ibekacyril
Explorer

I am trying to extract the key/value pairs in this Json field:

[DataJson={"Code":"Error","Reason":"Failed
to locate your record. Message [No
record]"}]

I tried doing this:

spath | rename Code AS Code, Reason AS Reason | table _time, Code, Reason

I only get values for _time, but not for Code and Reason. I would appreciate your help.

Thanks in advance

snoobzilla
Builder

Try extracting field of DataJson and then running spath on that field...

search with rex to extract DataJson | spath input=DataJson

Did not doublecheck syntax.

0 Karma

javiergn
SplunkTrust
SplunkTrust

I think spath doesn't like the format of your JSON field.
Try this instead:

your search here
| rex field=_raw "(?msi)^\[[^=]+=(?<my_json>.+)\]$"
| spath input=my_json 
| rename Code AS Code, Reason AS Reason 
| table _time, Code, Reason

ibekacyril
Explorer

Still only returned values for _time

0 Karma

snoobzilla
Builder

Is the my_json field getting extracted correctly? Starting and ending with {}? If not you will need to tweak regex.

{"Code":"Error","Reason":"Failed to locate your record. Message [Norecord]"}

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...