Splunk Search

Adding additional field from one json field.

jankappe
Explorer

Hi all,

I just started discovering Splunk. I am extracting a file containing JSON data. The data looks something like this:

"DevEUI_uplink": {
        "AckRequested": "1",
        "DevLrrCnt": "5",
        "rawMacCommands": "",
        "Late": "0",
        "ADRbit": "1",
        "LrrLON": "6.440177",
        "payload_hex": "00a0723a032805af1eb9006d4a9b000000",
        "Channel": "LC1",
        "FPort": "4",
        "DevAddr": "15293375"

It's a lot longer but you get the idea. Splunk extracts the field fine however "payload_hex" contains data that needs to be extracted into multiple fields. For example the last for characters will be the temperature. Is it possible to do this? If so, where would I do this and how?

EDIT: suggestions about where to learn this or specific tutorials are welcome as well.

Any help is much appreciated!

0 Karma

hardikJsheth
Motivator

You can do it by adding search time extraction in props.conf.
i.e EVAL-temprature= substr(DevEUI_uplink. payload_hex,0,4)

You can also write REGEX as well. Please refer docs at
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Createandmaintainsearch-timefieldextract...

jankappe
Explorer

Thank you, i will look into it!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If that solved your issue, please accept the answer. If it was helpful but did not completely solve the issue, then you can upvote it instead.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...