How to extract key value pairs from my sample data...

bharat1478 · ‎02-04-2016

I have a log that looks like this (with lot more fields):

04FEB2016_18:05:49.440 10789:1 INFO Struct='SListmanTskSubTranV6' IO='O' EventId=17086 Event='LISTMAN_UPDATE_FOR_EXEC_RPT  REPORT' Order=1094966 To='MULT' ...

I want to extract events like these from Splunk and want the output to be a VALID json object. So in this case, output should look like:

{"Struct":'SListmanTskSubTranV6', "IO":'O', "EventId":17086, "Event":'LISTMAN_UPDATE_FOR_EXEC_RPT  REPORT', "Order":1094966, "To":'MULT'}

Is there a way to achieve this in Splunk? Our string field values can have spaces or characters like ', ", \, etc. in it

somesoni2 · ‎02-04-2016

See below link for different option to export search results (including json format)

http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Exportsearchresults#Choose_your_export_form...

bharat1478 · ‎02-04-2016

We have a python service that is using REST API to query splunk. We want to get raw data from splunk in json format even though our actual log is in key=value format.
Looks like above documentation doesn't achieve that.

s2_splunk · ‎02-04-2016

Why? Do you want to use Splunk as a log format converter!?
You can probably do that with a bunch of eval statements, but it won't be pretty.

bharat1478 · ‎02-04-2016

We have an application that need this information in json format. We don't have the luxury to change the logging application to log in json format.

How to extract key value pairs from my sample data and have the output in JSON format?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!