This question should have been titled "How to parse JSON mixed in with text data or a timestamp?"
Does splunk support multi character delimiters?
I am trying to parse the fields: duration, status and url from the following log entry (all on one line):
2014-08-14 22:43:28,966 {"metricEvent":{"systemName":"production","metricId":"httpClientDao","userAgent":"null","acceptLanguage":"null","serverIP":"127.0.0.1","parameters":{"duration":"156","status":"404","api":"platform","Request":"2967231","url":"htttp://mysite/mypath"}}}
All of my fields are quoted and they are key value pairs separated by ',' with the ':' as the equal sign. Using a multi character Delimiter like \",\" does not work. Is there an obvious answer I am missing other than using regex and splitting it up myself?
... View more