topic Re: Additional fields extraction from json data in Getting Data In

Additional fields extraction from json data

RSS_STT — Mon, 30 Oct 2023 05:18:34 GMT

I have field CI extracted from json payload

{
"Name": "zSeries",
"Severity":5,
"Category":"EVENT",
"SubCategory":"Service issues - Unspecified",
"TStatus": "OPEN",
"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"Component": "iphone"
}

Further, i want the CI field value extracted using DELIMS = ";". I have created below props & transforms configuration but not working.

[source::cluster_test]
REPORT-fields = ci-extraction

[ci-extraction]
SOURCE_KEY = CI
DELIMS = ";"
FIELDS = CI_V2,CI_1,CI_2,CI_3,CI_4,CI_5

Any help highly appreciated.

Re: Additional fields extraction from json data

gcusello — Mon, 30 Oct 2023 06:56:46 GMT

Hi @RSS_STT,

I cannot debug your fields extraction without accessing your system, but you could use a regex:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

| rex field=CI "(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

that you can test at https://regex101.com/r/fndJqR/1

Ciao.

Giuseppe

Re: Additional fields extraction from json data

kamlesh_vaghela — Mon, 30 Oct 2023 07:12:12 GMT

@RSS_STT

You can also try adding this in props.conf.

[cluster_test] EXTRACT-fields = "CI":\s"(?<CI_V2>.*)\;(?<CI_1>.*)\;(?<CI_2>.*)\;(?<CI_3>.*)\;(?<CI_4>.*)\;(?<CI_5>.*)\",

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Additional fields extraction from json data

RSS_STT — Mon, 30 Oct 2023 07:25:18 GMT

CI filed values won't be constant. Sometime it can contain 3 value, sometime 4 or 5 value with semicolon separated.

But 1st word in CI filed is fix that is V2. How can we handle that with inline rex or with props.

Example:

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",

"CI": "V2;Y;Linx;srv048",

"CI": "V2;LX;apple;rose;server",

Re: Additional fields extraction from json data

gcusello — Mon, 30 Oct 2023 08:02:17 GMT

Hi @RSS_STT ,

please try this:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);(?<CI_3>[^;\"]*);(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)"

Ciao.

Giuseppe

Re: Additional fields extraction from json data

RSS_STT — Mon, 30 Oct 2023 08:29:01 GMT

It's not working..

Re: Additional fields extraction from json data

gcusello — Mon, 30 Oct 2023 08:38:26 GMT

Hi @RSS_STT ,

please try this regex:

(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/2

Ciao.

Giuseppe

Re: Additional fields extraction from json data

RSS_STT — Tue, 31 Oct 2023 05:56:57 GMT

Seems to be working for rest of fields by not for CI_V2.

Creating field value CI_V2="CI": "V2 . it should be CI_V2 = V2.

Re: Additional fields extraction from json data

gcusello — Tue, 31 Oct 2023 07:26:58 GMT

Hi @RSS_STT ,

sorry! I was focused on the other fields and I forrgot the start of the string, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/3

Ciao.

Giuseppe

Re: Additional fields extraction from json data

RSS_STT — Wed, 01 Nov 2023 06:48:59 GMT

CI_5 field extraction is not proper. As of now all last values (C,srv048 & server) are going into CI_5 which is not correct.

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"CI": "V2;Y;Linx;srv048",
"CI": "V2;LX;apple;rose;server",

Re: Additional fields extraction from json data

gcusello — Wed, 01 Nov 2023 09:24:23 GMT

Hi @RSS_STT,

sorry I forgor one asterisk, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);*(?<CI_5>[^;\"]*)

that you can test at https://regex101.com/r/fndJqR/4

Ciao.

Giuseppe