Re: can't extract field in json

efrenette11 · ‎07-28-2015

Hi,

I try to extract fields fron this json. I've tried with jsonkv and spath and it looks like that ' does generate problem during the extraction.

{'idFromSource':'344064','id':{'tmonline-us':{'id':'344064'}},'name':{'en-us':'NOVENUE'},'city':{'id':{},'name':{}},'timezone':'America/Los_Angeles','dma':[],'market':[],'image':[],'isTest':false,'source':'tmonline-us','idFromSource':'344064'}

Any suggestion ?

aljohnson_splun · ‎07-28-2015

Is this the actual json data? I tried linting it and it failed. http://jsonlint.com/ . Also, have you tried using KV_MODE=JSON inprops.conf ?

somesoni2 · ‎07-28-2015

I think the single quotes are causing issues. Give this a try:- (replacing single quotes with double quotes)

host="*cops.jetdev2.syseng.tmcs" appCode="jms.send" | table payload | eval payload=replace(payload,"'","\"") | spath input=payload

somesoni2 · ‎07-28-2015

When ingested in Splunk what sourcetype definition you've used? (props.conf on Indexer/Heavy Forwarder)

efrenette11 · ‎07-28-2015

I'm currently tryin to replace ' with " in the payload, but I always obtain UNBALACED QUOTES as error message.

efrenette11 · ‎07-28-2015

In fact there's no specific source type defined as a log loune is not all in json format. Only the payload has json as format.

Is a result this request.
host="*cops.jetdev2.syseng.tmcs" appCode="jms.send" | table payload

can't extract field in json

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!