I've got a feed that is sending non-compliant json since spath doesn't work on it. I put together this search
index=dlp sourcetype=sft:json "{"
| head 1
| eval data='{"time": "2023-07-21T19:10:48+00:00", "pid": 24086, "msec": 1689966648.059, "remote_addr": "aaa.bbb.ccc.ddd", "request_time": 0.005, "host": "sitename.noname.org", "remote_user": "-", "request_filtered": "GET /healthz HTTP/1.1", "status": 200, "body_bytes_sent": 13, "bytes_sent": 869, "request_length": 72, "http_referer_filtered": "", "http_user_agent": "-", "http_x_forwarded_for": "-", "context": "973235423dccda96a385ca21c133891632a28d91"}'
| spath input=data
I'm not seeing any value for data, thus nothing for the spath. Do I need to do something special to the eval to get it to process?
TIA,
Joe
Strings need to be in double quotes and embedded quotes need to be escaped
| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"
Strings need to be in double quotes and embedded quotes need to be escaped
| eval data="{\"time\": \"2023-07-21T19:10:48+00:00\", \"pid\": 24086, \"msec\": 1689966648.059, \"remote_addr\": \"aaa.bbb.ccc.ddd\", \"request_time\": 0.005, \"host\": \"sitename.noname.org\", \"remote_user\": \"-\", \"request_filtered\": \"GET /healthz HTTP/1.1\", \"status\": 200, \"body_bytes_sent\": 13, \"bytes_sent\": 869, \"request_length\": 72, \"http_referer_filtered\": \"\", \"http_user_agent\": \"-\", \"http_x_forwarded_for\": \"-\", \"context\": \"973235423dccda96a385ca21c133891632a28d91\"}"