How to Extract Fields from the JSON format data in SPLUNK

Lets say we are getting json format data from any of our index.We want to extract fields from that log.Below we have given one sample of json data.

{ [-]
level: info
message: {“eumObject”:{“eumInfo”:{“eumId”:”68f86e32-8182-4a4b-9ccb-ba8b87cc4fc3″,”eumCoRelationId”:””,”appId”:”operations4.abc.org”,”timeStamp”:

“2018-08-13 16:21:16″,”pageUrl”:”https://operations4.abc.org/portal/fm/P000755/fm-assessments/FR00000011/inherent-risks”,”pageName”:”Operations”,”breadCrumb”:””,”server”:””

,”responseTime”:833,”totalResponseTime”:1679.081623,”projectId”:””},”timingInfo”:{“navigationStart”:0,”unloadEventStart”:0,”unloadEventEnd”:0,”redirectStart”:0

,”redirectEnd”:0,”fetchStart”:4,”domainLookupStart”:4,”domainLookupEnd”:4,

“connectStart”:4,”connectEnd”:4,”secureConnectionStart”:0,

“requestStart”:4,”responseStart”:17,”responseEnd”:17,”domLoading”:23, “domInteractive”:803,”domContentLoadedEventStart”:844,

“domContentLoadedEventEnd”:850,”domComplete”:1169,

“loadEventStart”:1169,”loadEventEnd”:1169},”userInfo”:

{“upi”:”synmon”,”emailId”:””,”browserInfo”:”Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0″,”timeZone”:””,”screenResolution”:”1366×637″},”appInfo”:{},”errorInfo”:{“errorCode”:””,”errorDescription”:””,”errorType”:””},”resourcesInfo”:[],”customKeys”:{“key1″:833,”key2″:1433,”key3″:846,”key4″:844,”key5″:833,”key6″:833,”key7”:1067,

“key8″:””,”key9″:””,”key10″:””}}}
timestamp: 2018-08-13T16:21:32.941Z
}

Screenshot (92)

Here index name is “json” and sourcetype name is “jsonlog’ from where we are getting this json format data.

 

For extracting the fields from the json format data we will use one command called “spath”.We will run the below query and all the fields from the json data will be extracted like magic.

QUERY

index=”json” sourcetype=”jsonlog”
| spath input=message

 

Screenshot (93)

Explanation :

Here we have a structured json format data.In the above query “message” is the existing field name in “json” index .We have used  “spath” command for extract the fields from the log.Here we have used one argument “input” with the “spath” command.Into the “input” argument which key we will use the fields will be extracted from that key.Now we have used the “message” key to extract all the fields which are in between the “message” key.See the above image all the fields are being extracted from the “message” key.

 

Hope this has helped you in achieving the below requirement without fail :

How to Extract Fields from the JSON format data in SPLUNK

Happy Splunking !!

 

Advertisements