How to extract data into separate fields (from nested JSON, extracting additional fields using spath)?

alexsok — Sun, 07 Jun 2020 01:06:25 GMT

I have this data coming in:

{"endpointType":"MAC","appName":"Tracker","endpointId":"1d11dd05-a8a9-11e9-a74b-873869538d14","ip":"192.168.41.1","endpointName":"tess-mbp.lan","timestampUTC":"2020-05-27T17:07:49Z","userName":"john","type":"FileSystemObserver","hostname":"test.com","userItemId":"rm-71a7812d-9444-11e8-8e37-8b2186626e5a","clientIp":"11.212.222.240","host":"dev.test.com:192.168.48.5","userEmail":"john@test.com","details":"{\"message\":\"{\\\"type\\\":\\\"File\\\", \\\"action\\\":\\\"Renamed\\\", \\\"timestamp\\\":\\\"1590599269\\\", \\\"path\\\":\\\"/Users/john/Library/Application Support/Google/Chrome/Default/Service Worker/CacheStorage/eadf114e35641d8a14aa9648d8e1c01b4b3bb3f0/index.txt\\\", \\\"sysinfo\\\":\\\"{\\\"ItemRenamed\\\",\\\"ItemIsFile\\\"}\\\"}\"}","authType":"MEMBER_ENDPOINT","requestSignature":"POST_/v3/report","epochTime":"1590599269","user-agent":"RR Endpoint/ag-2.10.1.797 (Darwin; 19.4.0; x86_64; tests-mbp.lan; 78:4f:41:7e:e1:06)"}

Data from details is not getting extracted. I need to get all data from details in separate fields, like:

type: File
action: Renamed
path: Users/john.........
sysinfo:
ItemRenamed:

If someone could help, it would be very appreciated.

Re: How to extract data into separate fields (from nested JSON, extracting additional fields using spath)?

to4kawa — Thu, 28 May 2020 22:33:08 GMT

your search
| table details
| spath input=details
| rex field=message "sysinfo\":\"(?<sysinfos>.*})\""
| spath input=message
| rename sysinfos as sysinfo

topic Re: How to extract data into separate fields (from nested JSON, extracting additional fields using spath)? in Getting Data In

How to extract data into separate fields (from nested JSON, extracting additional fields using spath)?

Re: How to extract data into separate fields (from nested JSON, extracting additional fields using spath)?