We have the events in the below format and i was thinking i would see the fields without any extraction. But that did not happen. Do you know why?
ReadyToSubmitToFraud
PROCESSING_ERROR
SubmittedToFraud
2013-09-05 15:55:02,403 INFO 10.81.193.150 [AbstractOrderSubmitJob] {"order_status_counts":{"Fraud":"69","ReadyToSubmitToFraud":"962","PROCESSING_ERROR":"0","SubmittedToFraud":"13979"}}
The key/value pairs haven't been extracted because Splunk extracts automatically only key/value pairs in form: key=value.
Thank you. I will read this doc.
In short, you're using multiple delimiters in a single event, so Splunk needs a bit more information.
Try using spath in your search.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Spath