How to parse a json field?

Follow

Peter Olds

• February 21, 2017 18:49

We have a collector that sends JSON formatted logs to Sumo, but the thing that sends to the collector sends pseudo-keyvalue formatted logs. For example here is a sample event that's logged: ``` { "id":"1", "timestamp":1487702107728, "message":"time=\"2017-02-21T18:35:07Z\" level=info msg=\"status=\"200\" method=\"GET\" duration=\"349.302982ms\"ua=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\"\" ", "requestID":"1", "logGroup":"ecs" } ``` Parsing the json is easy enough, but I'm trying to parse the events that happen in the "message" field like "status" or "level". Any ideas are appreciated. The query I have so far looks something like: _sourceCategory=mycategory | json auto nodrop | where logGroup = "ecs" | message | keyvalue infer "level" Which doesn't entirely work because keyvalue is wanting brackets around the values.

1

• 

  Kenneth Ord

  • April 02, 2019 09:36

  I'm seeing something similar too. Extract a number of key/value pairs as JSON and then you can't then subparse it as JSON because the JSON formatting is lost, losing quote marks, etc. Did you solve it?

  0

  Comment actions Permalink
• 

  Rich Razon

  • December 07, 2020 17:06

  Found answer here:

  https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/Parse-field-option

  For example,

  log entry:

  RequestEnd : GET /v1/sensor/shipments/status 200 317 - 235.876 ms

  sumo query:

  | json auto
  | parse field=message "RequestEnd : * * * * - *.* ms " as method, uri, status, unknown, milliseconds, millisecondsDecimal

  0

  Comment actions Permalink

Please sign in to leave a comment.