topic Re: How to extract the data present in {} in Splunk Search. in All Apps and Add-ons

How to extract the data present in curly braces {} in Splunk Search?

zen29d — Mon, 13 Jun 2022 20:00:46 GMT

If the data present in json format {[]} get extracted, however when data present in {} as shown below doesn't behave same. How fields and values can be extracted from data in {}

_raw data:

{"AlertEntityId": "abc@domai.com", "AlertId": "21-3-1-2-4--12", "AlertType": "System", "Comments": "New alert", "CreationTime": "2022-06-08T16:52:51", "Data": "{\"etype\":\"User\",\"eid\":\"abc@domai.com\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"abc@domai.com\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Jeff Nichols <jeff@Nichols.com>\",\"sip\":\"1.2.3.4\",\"srt\":\"1\",\"trc\":\"abc@domai.com\",\"ms\":\"Grok - AI/ML summary, case study, datasheet\",\"lon\":\"UserSubmission\"}"}

When I perform query "| table Data", I get the below result, But how to get values of "eid", "tsd".

{"etype":"User","eid":"abc@domai.com","op":"UserSubmission","tdc":"1","suid":"abc@domai.com","ut":"Regular","ssic":"0","tsd":"Jeff Nichols <jeff@Nichols.com>","sip":"1.2.3.4","srt":"1","trc":"abc@domai.com","ms":"Grok - AI/ML summary, case study, datasheet","lon":"UserSubmission"}

Re: How to extract the data present in {} in Splunk Search.

ITWhisperer — Mon, 13 Jun 2022 07:02:00 GMT

| spath input=Data

Re: How to extract the data present in {} in Splunk Search.

zen29d — Mon, 13 Jun 2022 07:26:04 GMT

Not working.

Re: How to extract the data present in {} in Splunk Search.

ITWhisperer — Mon, 13 Jun 2022 07:31:49 GMT

In what way?

Re: How to extract the data present in {} in Splunk Search.

zen29d — Mon, 13 Jun 2022 07:39:16 GMT

Requirement is
Data.eid should give the value "abc@domai.com"
Data.tsd should give the value "Jeff Nichols<jeff@Nichols.com>"

I tried above query with below combination, but none of them give result.
| spath input=Data
| spath output=sender path=Data.tsd

Re: How to extract the data present in {} in Splunk Search.

zen29d — Mon, 13 Jun 2022 07:51:24 GMT

Re: How to extract the data present in {} in Splunk Search.

ITWhisperer — Mon, 13 Jun 2022 08:11:28 GMT

| makeresults | fields - _time | eval _raw="{\"AlertEntityId\": \"abc@domai.com\", \"AlertId\": \"21-3-1-2-4--12\", \"AlertType\": \"System\", \"Comments\": \"New alert\", \"CreationTime\": \"2022-06-08T16:52:51\", \"Data\": \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"abc@domai.com\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"abc@domai.com\\\",\\\"ut\\\":\\\"Regular\\\",\\\"ssic\\\":\\\"0\\\",\\\"tsd\\\":\\\"Jeff Nichols <jeff@Nichols.com>\\\",\\\"sip\\\":\\\"1.2.3.4\\\",\\\"srt\\\":\\\"1\\\",\\\"trc\\\":\\\"abc@domai.com\\\",\\\"ms\\\":\\\"Grok - AI/ML summary, case study, datasheet\\\",\\\"lon\\\":\\\"UserSubmission\\\"}\"}" | spath | spath input=Data | eval tsd=replace(tsd,"<","<") | eval tsd=replace(tsd,">",">")

Re: How to extract the data present in {} in Splunk Search.

zen29d — Tue, 14 Jun 2022 03:01:00 GMT

Thanks for the help.