How to Extract Fields from the Splunk Json Data in SPLUNK
Lets say we are getting json format data from any of our index. We want to extract fields from that log. Below we have given one sample of Splunk Json Data.
{ [-]
level: info
message: {“eumObject”:{“eumInfo”:{“eumId”:”68f86e32-8182-4a4b-9ccb-ba8b87cc4fc3″,”eumCoRelationId”:””,”appId”:”operations4.abc.org”,”timeStamp”:
“2018-08-13 16:21:16″,”pageUrl”:”https://operations4.abc.org/portal/fm/P000755/fm-assessments/FR00000011/inherent-risks”,”pageName”:”Operations”,”breadCrumb”:””,”server”:””
,”responseTime”:833,”totalResponseTime”:1679.081623,”projectId”:””},”timingInfo”:{“navigationStart”:0,”unloadEventStart”:0,”unloadEventEnd”:0,”redirectStart”:0
,”redirectEnd”:0,”fetchStart”:4,”domainLookupStart”:4,”domainLookupEnd”:4,
“connectStart”:4,”connectEnd”:4,”secureConnectionStart”:0,
“requestStart”:4,”responseStart”:17,”responseEnd”:17,”domLoading”:23, “domInteractive”:803,”domContentLoadedEventStart”:844,
“domContentLoadedEventEnd”:850,”domComplete”:1169,
“loadEventStart”:1169,”loadEventEnd”:1169},”userInfo”:
{“upi”:”synmon”,”emailId”:””,”browserInfo”:”Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0″,”timeZone”:””,”screenResolution”:”1366×637″},”appInfo”:{},”errorInfo”:{“errorCode”:””,”errorDescription”:””,”errorType”:””},”resourcesInfo”:[],”customKeys”:{“key1″:833,”key2″:1433,”key3″:846,”key4″:844,”key5″:833,”key6″:833,”key7”:1067,
“key8″:””,”key9″:””,”key10″:””}}}
timestamp: 2018-08-13T16:21:32.941Z
}
Here index name is “json” and sourcetype name is “jsonlog’ from where we are getting this json format data.
For extracting the fields from the json format data we will use one command called “spath”.We will run the below query and all the fields from the Splunk Json Data will be extracted like magic.
QUERY
index=”json” sourcetype=”jsonlog”
| spath input=message
Explanation :
Here we have a structured json format data.In the above query “message” is the existing field name in “json” index .We have used “spath” command for extract the fields from the log.Here we have used one argument “input” with the “spath” command.Into the “input” argument which key we will use the fields will be extracted from that key.Now we have used the “message” key to extract all the fields which are in between the “message” key. See the above image all the fields are being extracted from the “message” key.
Hope this has helped you in achieving the below requirement without fail :
How to Extract Fields from the Splunk Json Data in SPLUNK
Happy Splunking !!
Is there anyway to map or convert JSON forwarded logs to Splunk ES back to their Windows Raw/XML format so that Splunk ES apps/add-ons can see and correlate this data?