Hi Michael,
I have similar data with Message field json in Windows Event. I am using spath to search the Message json but the problem is that Splunk by default parses the Message field as key value pairs so I end up with duplicate values. E.g
Message={
"description" : "Sample text",
"event_id" : "47",
"id" : "22",
"logtype" : "Error",
"msgnum" : "0",
"severity" : "Reserved",
"source" : "Sample source",
"status" : "New",
"system_state" : "S4/S5",
"timestamp" : "00-01-01 00:00:00",
"timestamp_accuracy" : "Approximate"
}
For the above Message field Splunk already has parsed event_id with value "\"47\",". When I use spath and count by event_id Splunk adds 47 also to the events so I end up with duplicate event_ids for each event_id (1, "1",), (2, "2",) etc.
Is there a way to explicitly turn of Splunk parsing so that I can parse Message in the search (| spath input=Message | stats count by event_id)
... View more