How to remove header to have only json element

mah — Wed, 01 Sep 2021 08:00:13 GMT

Hi,

I have a log like this :

2021-09-01T07:25:12.314Z id-xxx-xxx-xxx STATE {"Id":"id-xxx-xxx-xxx","timestamp":"2021-09-01T07:25:12.145Z","sourceType":"my_sourcetype","source":"source_name","Type":"my_type","event":{"field":"my_field"},"time":169,"category":"XXX"}

My props.conf is like that :

[extract_json]
TRUNCATE = 999999

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_PREFIX=timestamp:
MAX_TIMESTAMP_LOOKAHEAD=10000
BREAK_ONLY_BEFORE ={$
MUST_BREAK_AFTER=}$

SEDCMD-remove-header = s/^[0-9T\:Z]*.*\s*{/{/g

My issue is that I need to extract only the json element from my logs but with those parameters from my props I get a bad extraction : the end of my json ( {"field":"my_field"},"time":169,"category":"XXX"} ) goes to an other event line and is not in json.

I have children brackets into parent bracket and I think my SEDCMD is not correct.

I would have the entire json element in one event.

Can you help me please ?

Thank you !

Re: How to remove header to have only json element

ITWhisperer — Wed, 01 Sep 2021 08:15:46 GMT

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g

Re: How to remove header to have only json element

mah — Wed, 01 Sep 2021 09:24:25 GMT

Hi @ITWhisperer

It seems to work great !

Thanks a lot !

topic How to remove header to have only json element in Splunk Dev

How to remove header to have only json element

Re: How to remove header to have only json element

Re: How to remove header to have only json element