topic Re: need help in formatting the data in Getting Data In

need help in formatting the data

saifuddin9122 — Tue, 29 Sep 2020 16:40:07 GMT

Hello All,

i'm trying to format the "json" formatted data with a custom sourcetype. below are my sample events
{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"Requestor","eventdesc":"Request Response Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"ssltest", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"121", "logtime":"11/07/2017 21:31:11", "username":"ssltest", "userid":"2", "roleused":"Requestor", "objecttypeid":"7", "objecttype":"Request Response", "objectid":"14", "operation":"Expire", "failed":"False", "target":"localhost/btuser", "details":"ReleaseRequest #9"}}{"formatVersion":"1.0", "vendor":"BeyondTrust","product":"BeyondInsight","version":"6.3.1","agentid":"PBPS","severity":"0","eventid":"PBPS","eventname":"System","eventdesc":"Release Request Expire","eventdate":"Nov 07 2017 21:31:11","sourcehost":"test-vm-1","sourceip":"127.0.0.1","eventsubject":"0127.0.00.001","eventtype":"0","user":"Internal process","workgroupid":"1","workgroupdesc":"BeyondTrust Workgroup", "nvps" : {"clienthost":"test-vm-1", "eventseverity":"0", "logsystemid":"122", "logtime":"11/07/2017 21:31:11", "username":"Internal process", "userid":"0", "roleused":"System", "objecttypeid":"6", "objecttype":"Release Request", "objectid":"9", "operation":"Expire", "failed":"False", "target":"ManagedSystem=localhost ManagedAccount=btuser", "details":"ReleaseRequest #9, Ticket #, TicketSystem="}}

and props.conf is
"TIME_PREFIX=\"eventdate\":\"
TIME_FORMAT= %b %d %Y %H:%M:%S
LINE_BREAKER=([\r\n]+)\s*{"formatVersion
SHOULD_LINEMERGE=false
ANNOTATE_PUNCT=false
TRUNCATE = 0
KV_MODE=json
AUTO_KV_JSON=true"

i facing issue at line breaker can any one help me?

Re: need help in formatting the data

nileena — Tue, 29 Sep 2020 16:40:17 GMT

You could use props and transforms to extract key values pairs for json events.

Include this line for the sourcetype in question in the props.conf

    [sourcetype]
    TIME_PREFIX=\"eventdate\":\"
    TIME_FORMAT= %b %d %Y %H:%M:%S
    LINE_BREAKER=([\r\n]+)\s*{"formatVersion
    SHOULD_LINEMERGE=false
    ANNOTATE_PUNCT=false
    TRUNCATE = 0
    REPORT-json_extraction = json_trans

and in the respective transforms.conf:

    [json_trans]
    REGEX = \"([^\":]+)\":\"([^\"\{]+)\"\s*,*\}*
    FORMAT = $1::$2

Sometimes, directly using regex works better than auto_kv or kv_mode or spath.

Re: need help in formatting the data

saifuddin9122 — Fri, 10 Nov 2017 18:17:16 GMT

i tried it but still same issue.

Re: need help in formatting the data

maciep — Fri, 10 Nov 2017 22:36:06 GMT

Where are your lines breaking now? Just every line? Regardless, a few thoughts...

First, is the quote (") in front of your TIME_PREFIX a typo? if not, you probably want to get rid of that.

Second, have you tried escaping the curly brace in your line breaker? I don't think it should need escaped, but might be worth trying.

Third, do you have these settings on your indexer? If not, where are they and where are you ingesting the data?