I have a JSON-based log file for which every line is a valid JSON document. When searching it like this: source="/path/to/json/logfile" message.path="/ws/ws_metrics/page_hidden/" | table message.par...
See more...
I have a JSON-based log file for which every line is a valid JSON document. When searching it like this: source="/path/to/json/logfile" message.path="/ws/ws_metrics/page_hidden/" | table message.params.page_hide_metrics I get entries with the JSON I expect, like this: {"connections":[{"connection_num":1,"initialized":"2021-10-25T20:46:45.318Z","ready_state":1,"connected_duration_seconds":32.296,"ready_state_times":[null,0.512,null,null]}],"tab_session_id":"604931x|concept|1635194804","first_connection_index":0,"percent_uptime":0.9843940502316508,"duration_seconds":32.296,"page_duration_seconds":32.808} However, when I try to use an example like example #1 given for json_extract in the splunk docs, source="/path/to/json/logfile" message.path="/ws/ws_metrics/page_hidden/" | eval ph_metrics = json_extract(message.params.page_hide_metrics) | table ph_metrics I don't get any results. Why?