Hello everybody,
I have the next event registered in my splunk:
Fri Mar 31 11:05:18 COT 2017 name=amqp_msg_received event_id=null msg_queue=seguros.traza.documentoValidado msg_exchange=seguros.cuadre.documentoValidado msg_body={"valid": true}
And what i need is to extract the value of "valid", the source_type of the event is json_no_timestamp, how could i do this?
I have tried using spath without luck, any advice?
Thanks.
Splunk must have extract field msg_body
with some values as it's in classic kv format. What value do you get as part of msg_body field? Will the msg_body always going to contain "valid" or it may be something else?
Hi there mate, did you try something like this ?
your search | spath input=msg_body
Hope it helps.