How to Extract Fields from the JSON format data in SPLUNK

How to Extract Fields from the Splunk Json Data in SPLUNK

Lets say we are getting json format data from any of our index. We want to extract fields from that log. Below we have given one sample of Splunk Json Data.

{ [-]
level: info
message: {“eumObject”:{“eumInfo”:{“eumId”:”68f86e32-8182-4a4b-9ccb-ba8b87cc4fc3″,”eumCoRelationId”:””,”appId”:””,”timeStamp”:

“2018-08-13 16:21:16″,”pageUrl”:””,”pageName”:”Operations”,”breadCrumb”:””,”server”:””




“requestStart”:4,”responseStart”:17,”responseEnd”:17,”domLoading”:23, “domInteractive”:803,”domContentLoadedEventStart”:844,



{“upi”:”synmon”,”emailId”:””,”browserInfo”:”Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0″,”timeZone”:””,”screenResolution”:”1366×637″},”appInfo”:{},”errorInfo”:{“errorCode”:””,”errorDescription”:””,”errorType”:””},”resourcesInfo”:[],”customKeys”:{“key1″:833,”key2″:1433,”key3″:846,”key4″:844,”key5″:833,”key6″:833,”key7”:1067,

timestamp: 2018-08-13T16:21:32.941Z

Screenshot (92)

Here index name is “json” and sourcetype name is “jsonlog’ from where we are getting this json format data.

For extracting the fields from the json format data we will use one command called “spath”.We will run the below query and all the fields from the Splunk Json Data will be extracted like magic.


index=”json” sourcetype=”jsonlog”
| spath input=message

Screenshot (93)

Explanation :

Here we have a structured json format data.In the above query “message” is the existing field name in “json” index .We have used  “spath” command for extract the fields from the log.Here we have used one argument “input” with the “spath” command.Into the “input” argument which key we will use the fields will be extracted from that key.Now we have used the “message” key to extract all the fields which are in between the “message” key.See the above image all the fields are being extracted from the “message” key.

Hope this has helped you in achieving the below requirement without fail :

How to Extract Fields from the Splunk Json Data in SPLUNK

Happy Splunking !!

You can also know about :  Donut - Custom Visualization

One comment

  1. Is there anyway to map or convert JSON forwarded logs to Splunk ES back to their Windows Raw/XML format so that Splunk ES apps/add-ons can see and correlate this data?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.