How to access a JSON that does not have a field na...

wantjoule · ‎03-21-2017

Hi All,

I've used spath before to access JSON, but the log entry i currently have does not have a name associated to the JSON and i am having a hard time cracking into it. in the example log entry below i might want to extract out the src_ip,a_labels>app, a_labels>env

raw:

sev=INFO pid=5675 tid=7777567567 rid=0 {"tbo":40,"pn":"name.exe","src_ip":"11.22.33.44""a_labels":[{"app":"appname1"},{"env":"env1"}],"b_labels":[{"app":"appname2"}{"env":"env2"}],"pd":0}


sev=INFO  
pid=5675 
tid=7777567567 
rid=0 
    {
        "tbo":40,
        "pn":"name.exe",
        "src_ip":"11.22.33.44"
        "a_labels":
            [
                {"app":"appname1"},
                {"env":"env1"}
            ],
        "b_labels":
            [
                {"app":"appname2"}
                {"env":"env2"}
            ],
        "pd":0
    }

somesoni2 · ‎03-21-2017

You would need to extract that json string into a field and then use spath command. Like this

your base search | rex "^(\S+\s+){4}(?<json_data>\{.+)" | spath input=json_data

wantjoule · ‎03-21-2017

Thank you @somesoni2 but i tried this and it didn't seem to extract the JSON into the field, so the spath didn't work

Can you explain what is happening in the rex.

How to access a JSON that does not have a field name?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM