How to extract the data present in {} in Splunk Search

Question

If the data present in json format {[]} get extracted, however when data present in {} as shown below doesn't behave same. How fields and values can be extracted from data in {}

_raw data:

{"AlertEntityId": "abc@domai.com", "AlertId": "21-3-1-2-4--12", "AlertType": "System", "Comments": "New alert", "CreationTime": "2022-06-08T16:52:51", "Data": "{\"etype\":\"User\",\"eid\":\"abc@domai.com\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"abc@domai.com\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Jeff Nichols <jeff@Nichols.com>\",\"sip\":\"1.2.3.4\",\"srt\":\"1\",\"trc\":\"abc@domai.com\",\"ms\":\"Grok - AI/ML summary, case study, datasheet\",\"lon\":\"UserSubmission\"}"}

When I perform query "| table Data", I get the below result, But how to get values of "eid", "tsd".

{"etype":"User","eid":"abc@domai.com","op":"UserSubmission","tdc":"1","suid":"abc@domai.com","ut":"Regular","ssic":"0","tsd":"Jeff Nichols <jeff@Nichols.com>","sip":"1.2.3.4","srt":"1","trc":"abc@domai.com","ms":"Grok - AI/ML summary, case study, datasheet","lon":"UserSubmission"}

score 3 · Answer 1 · answered Jun 13 '22 at 15:41

3

| spath

by default this will parse the _raw field if the data is in the field "Data"

| spath input=Data

After which eid and tsd will be in fields of the same name.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

answered Jun 13 '22 at 15:41

Daniel Price

443
2
12

How to extract the data present in {} in Splunk Search

1 Answers1