topic How do I extract all fields from userdata? in Splunk Search

How do I extract all fields from userdata?

siksaw33 — Fri, 29 Apr 2022 18:57:34 GMT

How do I extract all fields from userdata?

accept=application/json, timestamp=1651243086870} OutboundWebHookPayload={"clientType":"Client","mediaType":"ask","subject":"EscapeClient","userData":{"country":"UK","lastName":"ELMER","agentId":"7060856","conversationId":"conv_1d55ec01e970c8833e8b8206be287fce","sessionId":"itc_58f7ad65-fcb0-46bd-81-1717f84dd7","chatSessionId":"s_eaf99b35-59fd-4d36-8f8f-c6423f8ec610","locale":"en-GB","languageCode":"en","experience":"Default","publicGuid":"1d55ec01e970c8833e8b8206be287fce","accountNumber":"XXXXXXXXXXXXXXX","firstName":"LUKE","environment":"prod","intentCode":"statement_balance","upfrontRoutingIntent":"CardServices","InteractionType":"Resume","customerId":"508558871407","channelName":"MApp","ProductType":" Card"}}

I tried

userData | rex field=_raw "userData.:{.IACode.:.(?<IACode>[A-Za-f0-9]+).,.country.*upfrontRoutingIntent.:.(?<upfrontRoutingIntent>[^\"]+).," | table IACode upfrontRoutingIntent

But I need other fields like Experience and Product type as well

Re: Using Regex to extract fields

ITWhisperer — Fri, 29 Apr 2022 15:30:50 GMT

| rex "OutboundWebHookPayload=(?<json>\{.*\})" | spath input=json userData output=userData | spath input=userData

Re: Using Regex to extract fields

siksaw33 — Fri, 29 Apr 2022 20:52:29 GMT

Sorry @ITWhisperer this did not work. Maybe I am doing something wrong. But this is not converting and returning the userdata package to a table format.

userData | rex "OutboundWebHookPayload=(?<json>\{.*\})"
| spath input=json userData output=userData
| spath input=userData

Re: Using Regex to extract fields

ITWhisperer — Sun, 01 May 2022 18:00:57 GMT

OK So what are you getting?

Re: Using Regex to extract fields

siksaw33 — Sun, 01 May 2022 18:35:20 GMT

Nothing @ITWhisperer I just get the events that I was getting earlier. No regex parsing. Could you please double check?

Re: Using Regex to extract fields

ITWhisperer — Sun, 01 May 2022 19:51:58 GMT

Does this at least return the json string?

| rex "OutboundWebHookPayload=(?<json>\{.*\})"

Re: How do I extract all fields from userdata?

siksaw33 — Fri, 27 May 2022 14:04:06 GMT

I dont get anyJSON string, I get what I was getting earlier. No changes. I get 1500 events in the below format.

Re: How do I extract all fields from userdata?

ITWhisperer — Mon, 02 May 2022 22:12:59 GMT

Here is a runanywhere example showing the extraction

| makeresults | eval _raw="02 May 2022 11:20:42,825 log_level='DEBUG' thread_name='https-jsse-nio-8443-exec-2999' environment=e3_ipc1 hostName=operator-a-deployment-42-kn9ph class_name='com.wsgcat.ngsp.logan.logger.LoganOperatorOutboundWebhookLogging' app=NGSPLOGAN event_name=LOGANOPERATOR logancorrelationId=fZFtvmmb-02052022-112040911 channel name=bean 'createRequestWithHeaderChannel' LoganOperatorOutboundWebhookLogging Info - OutboundWebHookHeaders={Authorization=Bearer eyJraWQiOiJyc2FLZXlVTklWIiwiYWxnIjoiUlM1MTIifQ.eyJzY3AiOlsiZnVuY3Rpb246XC9DcmVhdGVNZXNzYWdpbmdJbnRlcmFjdGlvbi52MSJdLCJzdWIiOiIzNWIyODNjNi01NTBhLTNiNTctYmZiMC1iY2I1N2Y3ZDRlYzEiLCJ2ZXIiOiIxLjAiLCJpc3MiOiJBbWV4SURhYVNJRCIsInR5cCI6ImFwcCIsImV4cCI6MTY1MTUxNTk2MCwianRpIjoiMjcyNjZmOTMtMTAzZi00M2FkLWE2ZDQtM2M2OGExNmVjNmFkIn0.X2HAnLvITD9ri/YVbyxCQyJcYjDmThYWOkHgz5yW3OaSmvAIscZA3O7tE6uE1c6aUyjOS+O3Qw6lHpSSG7D+5tp6whJb3Qa7eqiBY0hP4+iI8GYiRPXb2vZbFKLDPYQ4eVOPPJ0lZ3wh1Poqy5s+duZmVH7mx4rXwc+i6TL7S80OiI6LajCfuLE4swnq2n+zfFF2mWzK8DAr93vOlUkRB5eHWleGAYsng7bbC+KdDMqo06aZJDnfa2R/dxRdrhBwZrKMaWAqOLMrjmjgDrj2dMo0/UKsXKHdM83BIlPKCn+gJWjHG3D0ZEXwljrGTgm9YMBG8ZON4ieE05JPbsiI0w==, replyChannel=org.springframework.messaging.core.Template$TemporaryReplyChannel@6365782d, errorChannel=org.springframework.messaging.core.Template$TemporaryReplyChannel@6365782d, one-correlation-id=conv_cb44295ae5e9870f28ee1-02022-1121911, id=8997e7f6-59fa-ba5a-206c-0e7bfbf149c8, Content-Type=application/json, accept=application/json, timestamp=1651515642824} OutboundWebHookPayload={\"clientType\":\"Client\",\"mediaType\":\"ask\",\"subject\":\"AskEscapeClient\",\"userData\":{\"country\":\"US\",\"lastName\":\"DURFEE\",\"agentId\":\"6438\",\"conversationId\":\"conv_cb442617aae5e9870f28ee1\",\"sessionId\":\"itc_830e-bc73-a25aa95c6136\",\"chSessionId\":\"s_7c33b596- -816d21874c5e\",\"locale\":\"en-US\",\"languageCode\":\"en\",\"experience\":\"Pl\",\"publicGuid\":\"cb44295c401145617aae5e9870f28ee1\",\"accountNumber\":\"XXXXXXXXXXXXXXX\",\"firstName\":\"JO\",\"environment\":\"prod\",\"intentCode\":\"travel\",\"upfrontRoutingIntent\":\" travel\",\"InteractionType\":\"Resume\",\"customerId\":\"284745861019\",\"channelName\":\"MA\",\"ProductType\":\"Pla\"}}" | rex "OutboundWebHookPayload=(?<json>\{.*\})" | spath input=json userData output=userData | spath input=userData

Re: How do I extract all fields from userdata?

siksaw33 — Wed, 04 May 2022 13:35:18 GMT

ahh.. n00b mistake by me. @ITWhisperer you are correct. This worked, you are the best. Thanks a ton!