Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract jSON formated data

sathiyasun
Explorer
‎10-31-2023 01:47 PM

below is the sample json log content the main filelds are default extracts but the nested aren't. Please help to extract the nested space separated data as fields

The one I want to extract as a separate field is the line


tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890

 

Whole log event
{ [-]
line: { [-]
@timestamp: 2023-10-31T20:36:57.092Z
class: x.x.x.x.x.Logging
exception:
line: 54
marker:
message: GET https://00.00.000.000:123456/management/health forwarded from [] by [] for unknown returned 200 in 1ms
pid: 7
severity: INFO
span: b60d05680b3cbfa7
thread: boundedElastic-9
trace: b60d05680b3cbfa7
}
source: stdout
tag: service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890
}

Labels (2)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-31-2023 05:35 PM

As @ITWhisperer said, illustrate structured data in raw format, not with Splunk's condensation.

If you already have a top level key "tag", I suspect that you actually want the key-value pairs in that value ("service=z2-qa1-local-z2-api-endpoint APPID=1234 cluster=z2-qa1-local application=z2 full-imagename=0123456789.dkr.10cal/10.20/xyz container-id=asdfgh503 full-container-id=1234567890") extracted, not to extract that line again.  Maybe the key "tag" is not top level.  In that case, you will need to tell us what is the path leading to tag.  In all cases, raw format will help volunteers diagnose.

If "tag" is top level, you can use kv (aka extract) to extract fields like service, APPID, etc., like

 

| rename _raw AS temp, tag AS _raw
| kv
| rename _raw AS tag, temp as _raw

 

Your sample should give

APPIDapplicationclustercontainer_idfull_container_idfull_imagenameservice
1234z2z2-qa1-localasdfgh50312345678900123456789.dkr.10cal/10.20/xyzz2-qa1-local-z2-api-endpoint

Is this something you are looking for?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:16 PM

Please share the raw, unformatted event in a code block </> to preserve raw formatting.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...