Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Parsing fields from json logs

$
0
0
Hi Splunkers. I'm attempting to search based on fields in a JSON log file For example I am trying to search based on the "action" field from the following (sample) JSON event: {"message":"{\"action\":\"USER_PROFILEACTION\"}","requestfrom":"source","responsestatus":"403","username":"user@name.com","station":"/level1/profile","resource":"/level1/profile","responsetime":275,"starttime":1476061950172,"finishtime":1476061950447} I've attempted to use spath and also a rex pipe but have had no luck. (i.e. here : https://answers.splunk.com/answers/418995/how-to-extract-fields-from-json-which-is-stored-)in.html In this example it contains "USER_PROFILEACTION". Also note that the string in the action field also contains a trailing backslash at the end of the string. Preferably I'd like to strip this in the process. Any attempts I've made end up converting the field that the raw JSON log is stored in into a multivalue field, with a a second copy of the JSON log. Thanks in advance.

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>