topic How to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX? in Splunk Search

How to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX?

neerajs_81 — Tue, 31 May 2022 05:08:34 GMT

Hello, Can someone pls guide how to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX. The different values are seperated by ",\" as you can see in the raw events. By default it only extracts the 1st value - .

Raw events:

{"LogTimestamp": "Mon May 30 06:27:07 2022",[],"SAMLAttributes": "{\"FirstName\":[\"John\"],\"LastName\":[\"Doe\"],\"Email\":[\"John.doe@mycompany.com\"],\"DepartmentName\":[\"Group1-AVALON\"],\"GroupName\":[\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"],\"userAccount\":[\"Full Time\"]

Regex generated by the IFX causes GroupName to have only 1 value: "ZPA_Vendor_Azure_All".

I want it to display the other values also such as : Zscaler Proxy Users , NewRelic_FullUser , jira-users , AWS-SSO-lstech-viewonly-users, All Workers .

The end of the different values of GroupName field is just before the "userAccount" field.

Hope i am clear

Re: Extracting JSON multi value fields via IFX field extractor

yuanliu — Mon, 30 May 2022 18:40:23 GMT

If you really, really, really want to use regex to handle this, you can extract the entire GroupName field as one string, then handle that string afterward, e.g.,

\\"GroupName\\":\[(?<GroupNames>[^\]]+)

But really, structured data is best extracted using Splunk's builtin functions. If the complete body of raw event is in JSON, the source type should be set to a JSON type, for example. If the JSON is just part of an unstructured message, use kv_mode=json (c.f., Configure automatic key-value field extraction) in props.conf or spath in SPL.

Re: Extracting JSON multi value fields via IFX field extractor

neerajs_81 — Tue, 31 May 2022 05:18:35 GMT

Hello, I have extracted the entire GroupName field as one string for now. Can you pls advise how to handle it further ? I want it split further to show the different values and exclude characters like \" from the values.

Currently it shows value as below:

ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers

How can i get it to show like this ? Basically GroupName will b a multi value field.

ZPA_Vendor_Azure_All Zscaler Proxy Users NewRelic_FullUser jira-users All Workers

Re: Extracting JSON multi value fields via IFX field extractor

yuanliu — Wed, 01 Jun 2022 00:35:22 GMT

With the string value GroupNames - do not drop the outer quotation marks; they help simplify the next step. (Alternatively, drop all of those escaped quotation marks.) Say, you have a value like

\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"

the next filter would be to split them and some cleanup.

| eval GroupName = split(replace(GroupNames, "\\\\\"", ""), ",")

This particular method doesn't care whether the outer quotation marks are dropped or not. But it is easier to troubleshoot if those marks are in place.

Re: Extracting JSON multi value fields via IFX field extractor

neerajs_81 — Wed, 01 Jun 2022 04:46:18 GMT

Thank you.