https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558306#M92372 <P>Hi ,</P><P>I am having json logs which I on-boarded to Splunk</P><P>&nbsp;</P><LI-CODE lang="markup">{"body":{"records": {"time": "2020-12-20T13:28:50.2164144Z","MachineGroup": "Windows 10", "Timestamp": "2020-12-20T13:27:18.6679858Z", "DeviceName": "3242d4e4.dc.democorp.com", "ReportId": 306737}}},"x-opt-sequence-number":159959006,"x-opt-offset":"2713650553292728","x-opt-enqueued-time":1624195823422}</LI-CODE><P>&nbsp;</P><P>I am trying to remove everything after "}}}" with SEDCMD and my props.conf is below-mentioned</P><P>&nbsp;</P><LI-CODE lang="markup">[json_log] LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false INDEXED_EXTRACTIONS = json KV_MODE = none DATETIME_CONFIG = CURRENT TRUNCATE = 0 SEDCMD-unwantedfields=s/\}\}\}(.*)/g</LI-CODE><P>&nbsp;</P><P>Fields are not in raw logs, however when expending details can see the field values</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="General_Talos_0-1625487024842.png" style="width: 479px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14939i18440DB860E38400/image-dimensions/479x73?v=v2" width="479" height="73" role="button" title="General_Talos_0-1625487024842.png" alt="General_Talos_0-1625487024842.png" /></span></P><P>Any suggestion, what I am doing wrong ?</P><P><A href="https://regex101.com/r/btYSah/1" target="_blank">https://regex101.com/r/btYSah/1</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="General_Talos_0-1625487274300.png" style="width: 523px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14940i9A7B5B8EE045B9CA/image-dimensions/523x408?v=v2" width="523" height="408" role="button" title="General_Talos_0-1625487274300.png" alt="General_Talos_0-1625487274300.png" /></span></P><P>&nbsp;</P> Mon, 05 Jul 2021 12:15:06 GMT General_Talos 2021-07-05T12:15:06Z https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558306#M92372 <P>Hi ,</P><P>I am having json logs which I on-boarded to Splunk</P><P>&nbsp;</P><LI-CODE lang="markup">{"body":{"records": {"time": "2020-12-20T13:28:50.2164144Z","MachineGroup": "Windows 10", "Timestamp": "2020-12-20T13:27:18.6679858Z", "DeviceName": "3242d4e4.dc.democorp.com", "ReportId": 306737}}},"x-opt-sequence-number":159959006,"x-opt-offset":"2713650553292728","x-opt-enqueued-time":1624195823422}</LI-CODE><P>&nbsp;</P><P>I am trying to remove everything after "}}}" with SEDCMD and my props.conf is below-mentioned</P><P>&nbsp;</P><LI-CODE lang="markup">[json_log] LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false INDEXED_EXTRACTIONS = json KV_MODE = none DATETIME_CONFIG = CURRENT TRUNCATE = 0 SEDCMD-unwantedfields=s/\}\}\}(.*)/g</LI-CODE><P>&nbsp;</P><P>Fields are not in raw logs, however when expending details can see the field values</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="General_Talos_0-1625487024842.png" style="width: 479px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14939i18440DB860E38400/image-dimensions/479x73?v=v2" width="479" height="73" role="button" title="General_Talos_0-1625487024842.png" alt="General_Talos_0-1625487024842.png" /></span></P><P>Any suggestion, what I am doing wrong ?</P><P><A href="https://regex101.com/r/btYSah/1" target="_blank">https://regex101.com/r/btYSah/1</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="General_Talos_0-1625487274300.png" style="width: 523px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14940i9A7B5B8EE045B9CA/image-dimensions/523x408?v=v2" width="523" height="408" role="button" title="General_Talos_0-1625487274300.png" alt="General_Talos_0-1625487274300.png" /></span></P><P>&nbsp;</P> Mon, 05 Jul 2021 12:15:06 GMT https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558306#M92372 General_Talos 2021-07-05T12:15:06Z https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558320#M92376 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230358">@General_Talos</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">[json_log] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SEDCMD-unwantedfields=s/\}\}\}(.*)/}}}/g</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Mon, 05 Jul 2021 14:51:14 GMT https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558320#M92376 kamlesh_vaghela 2021-07-05T14:51:14Z https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558332#M92377 <P>Thanks @kamlesh</P><P>Minor changes, resulted in required result.</P><LI-CODE lang="markup">SEDCMD-unwantedfields=s/\}\}\}(.*)\}/g</LI-CODE><P>&nbsp;</P> Mon, 05 Jul 2021 16:57:18 GMT https://community.splunk.com/t5/Getting-Data-In/json-SED-problem/m-p/558332#M92377 General_Talos 2021-07-05T16:57:18Z