https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606119#M105328 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/208244">@korstiaans</a>,</P><P>I had a problem like your and I solved with SEDCMD:</P><LI-CODE lang="markup">SEDCMD-remove_header = s/\{\"activities\": \[\{\"kind\".*/\[\{\"kind\".*/flags</LI-CODE><P>But before this, did you tried the spath command?</P><P>I think that should solve your need..</P><P>Ciao.</P><P>Giuseppe</P> Tue, 19 Jul 2022 09:48:05 GMT gcusello 2022-07-19T09:48:05Z https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606118#M105327 <P>Hi Splunkers,&nbsp;</P><P>I have a question related to a json file that I'm trying to parse.I want to remove the first part of it until {"kind"), see sample file is added below.&nbsp;</P><P>I tried using the FIELD_REGEX_HEADER in props.conf which I think is supposed to that so far I've tried an failed with the following:</P><P>FIELD_HEADER_REGEX={"activities":\s\[(.)<BR />FIELD_HEADER_REGEX={"activities":\s\[<BR />FIELD_HEADER_REGEX={"activities":<BR />FIELD_HEADER_REGEX=\{\"activities\"\:</P><P>Some of the above work on regexr.com with the sample data.&nbsp;</P><P><SPAN>{"activities": [{"kind": "admin#reports#activity", "id": {"time": "</SPAN><SPAN class="">2022-07-18T14:04:19.866Z</SPAN><SPAN>", "uniqueQualifier": "-2451221827967636314", "applicationName": "<STRONG>redacted</STRONG>", "customerId": "<STRONG>redacted</STRONG>"}, "etag": "\"dng2uCItaXPqmMj2MG4RUqVkRjnE_4kf0VvQ0_WkiTg/6j3Reg7FneLgLDfjE-lZuZUOrdc\"", "actor": {"callerType": "USER", "email": "<STRONG>redacted</STRONG><STRONG>"</STRONG>, "profileId": "<STRONG>redacted</STRONG>"}, "ipAddress": "<STRONG>redacted</STRONG>", "events": [{"type": "SECURITY_INVESTIGATION", "name": "SECURITY_INVESTIGATION_QUERY", "parameters": [{"name": "INVESTIGATION_DATA_SOURCE", "value": "USER LOG EVENTS"}, {"name": "INVESTIGATION_QUERY", "value": "(empty)"}]}]},</SPAN></P><P>Any help is appreciated thank you!</P> Tue, 19 Jul 2022 09:42:06 GMT https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606118#M105327 korstiaans 2022-07-19T09:42:06Z https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606119#M105328 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/208244">@korstiaans</a>,</P><P>I had a problem like your and I solved with SEDCMD:</P><LI-CODE lang="markup">SEDCMD-remove_header = s/\{\"activities\": \[\{\"kind\".*/\[\{\"kind\".*/flags</LI-CODE><P>But before this, did you tried the spath command?</P><P>I think that should solve your need..</P><P>Ciao.</P><P>Giuseppe</P> Tue, 19 Jul 2022 09:48:05 GMT https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606119#M105328 gcusello 2022-07-19T09:48:05Z https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606120#M105329 <P>Hi Giuseppe,</P><P>Thanks for the quick response, so it's only a problem for the first line I managed to split the other events and they are indexes as json so no need for spath.&nbsp;</P><P>I'll try your SEDCMD suggestion and get back with the results.&nbsp;</P> Tue, 19 Jul 2022 09:59:14 GMT https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606120#M105329 korstiaans 2022-07-19T09:59:14Z https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606125#M105330 <P>Unfortunately it didn't work for completeness sake I've added the props.conf I used.</P><P>[gws:test]<BR />KV_MODE= json<BR />LINE_BREAKER = }]},(.)<BR />SEDCMD-remove_header =SEDCMD-remove_header = s/\{\"activities\": \[\{\"kind\".*/\[\{\"kind\".*/flags<BR />disabled=false<BR />pulldown_type=true<BR />SHOULD_LINEMERGE = false</P><P>&nbsp;</P> Tue, 19 Jul 2022 10:14:22 GMT https://community.splunk.com/t5/Getting-Data-In/Need-some-help-with-FIELD-HEADER-REGEX-and-json-data/m-p/606125#M105330 korstiaans 2022-07-19T10:14:22Z