Solved: How to extract fields from json attributes?

sergimola · ‎02-21-2023

I am sending some traces from my service to Splunk using the OpenTelemetry Collector and the Splunk HEC exporter.

My traces are getting to Splunk and their fields in general properly identified, but I would like for the attributes of an event that have a json format to be further decomposed into fields.

This is an example of an event:

I would like for the `attributes.data` field to be further decomposed.

Is that possible?

ITWhisperer · ‎02-21-2023

| spath output=data path=attributes.data
| spath input=data

View solution in original post

sergimola · ‎02-21-2023

I've looked into `spath`, but I think there's something else on top of that.

It works for the event itself wich is a json event, but onf the the properties inside this json event is also a json structure.

Using this works fine:

| spath output=data path=attributes.data

But if I want to create a field out of the `Number` property in `attributes.data` that doesn't work

| spath output=data_number path=attributes.data.Number

ITWhisperer · ‎02-21-2023

| spath output=data path=attributes.data
| spath input=data

sergimola · ‎02-21-2023

Oh, nice, this works!

Thanks.

richgalloway · ‎02-21-2023

Use the spath command in your search query to extract fields from JSON events.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎02-21-2023

You can use spath in your search SPL to extract fields from JSON data.

How to extract fields from json attributes?

field extraction

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All