topic Re: RegEx to Parse Field Containing Json Format in Splunk Search

RegEx to Parse Field Containing Json Format

ahaveles — Wed, 15 Apr 2020 21:23:20 GMT

I am attempting to parse logs that contain fields similar to the example below. Field name being ValidFilterColumns, which contains an json format of these objects containing key/value pairs for Id and Name.

ValidFilterColumns="[{"Id":"124","Name":"OrderId"},{"Id":"25","Name":"AssetClass"},{"Id":"123","Name":"Custodian"},{"Id":"13","Name":"Country"},{"Id":"1","Name":"Symbol"}]"

My question is, how could I compose a RegEx that parses out the Ids and Names of each object in the array?

Also as a note: I have tried making the fields extracted fields, but they will only function properly if another log's field contains the same number of objects.

Re: RegEx to Parse Field Containing Json Format

to4kawa — Wed, 15 Apr 2020 23:44:03 GMT

| makeresults
| eval _raw="ValidFilterColumns=\"[{\"Id\":\"124\",\"Name\":\"OrderId\"},{\"Id\":\"25\",\"Name\":\"AssetClass\"},{\"Id\":\"123\",\"Name\":\"Custodian\"},{\"Id\":\"13\",\"Name\":\"Country\"},{\"Id\":\"1\",\"Name\":\"Symbol\"}]"
| rex max_match=0 "(?ms){\"Id\":\"(?<id>\d+)\",\"Name\":\"(?<Name>\w+)\"}"

| rex mode=sed "s/(.*)=\"(.*)\"/{\"\1\":\2}/"
| spath

as you like.

Re: RegEx to Parse Field Containing Json Format

ahaveles — Thu, 16 Apr 2020 13:44:09 GMT

Sorry I am a bit lost, should these all be chained together in the search as they are above, or are lines 2 and 3 interchangeable with lines 5 and 6?

Re: RegEx to Parse Field Containing Json Format

to4kawa — Thu, 16 Apr 2020 20:32:55 GMT

no, not chain. Here is two method.