Another important point: Your raw data is in JSON. Do not treat structured data as plain strings. In other words, instead of using regex, use proper JSON tools Splunk has. When showing structured ...
See more...
Another important point: Your raw data is in JSON. Do not treat structured data as plain strings. In other words, instead of using regex, use proper JSON tools Splunk has. When showing structured data, it is important to post a compliant structure. Let me reconstruct a compliant JSON out of the illustrated fragment before giving your a shortcut. {"isthiscorrect": {"somekey": {"Name":null,"Id":null,"WaypointId":null}},"Body":{"APIServiceCall":{"ResponseStatusCode":"200","ResponsePayload":"{\"eligibilityIndicator\":[{\"service\":\"Mobile\",\"eligible\":true,\"successReasonCodes\":[],\"failureReasonCodes\":[]}]}"}}} If your raw events resemble the above in structure, Splunk would have given you a field named Body.APIServiceCall.ResponsePayload. Your illustrated fragment contains this value for that field: {"eligibilityIndicator":[{"service":"Mobile","eligible":true,"successReasonCodes":[],"failureReasonCodes":[]}]} All you need to do is to use an appropriate tool extract from this. But before you do, note that eligibilityIndicator is an array. You most likely want to split the array into their own events. Putting this chain together: | spath input=Body.APIServiceCall.ResponsePayload path=eligibilityIndicator{}
| mvexpand eligibilityIndicator{}
| spath input=eligibilityIndicator{} The field you are trying to extract is now called eligible. Here is an emulation with your fragment as reconstructed above. | makeresults
| eval _raw = "{\"isthiscorrect\": {\"somekey\": {\"Name\":null,\"Id\":null,\"WaypointId\":null}},\"Body\":{\"APIServiceCall\":{\"ResponseStatusCode\":\"200\",\"ResponsePayload\":\"{\\\"eligibilityIndicator\\\":[{\\\"service\\\":\\\"Mobile\\\",\\\"eligible\\\":true,\\\"successReasonCodes\\\":[],\\\"failureReasonCodes\\\":[]}]}\"}}}"
| spath
``` data emulation above ``` These are the three fields extracted from eligibilityIndicator{} eligible service successReasonCodes{} true Mobile