topic Extract JSON data using transforms in Splunk Search

Extract JSON data using transforms

karthikm — Mon, 19 Aug 2024 11:38:48 GMT

Here is my sample log

2024-07-08T04:43:32.468537+00:00 dxx1-dbxxxs.xxx.net MSSQLSERVER[0] {"EventTime":"2024-07-08 04:43:32","Hostname":"dx1-dbxxxs.xxx.net","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":44444,"SourceName":"MSSQLSERVER","Task":5,"RecordNumber":1234343410,"ProcessID":0,"ThreadID":0,"Channel":"Application","Message":"Audit event:lkjfd:sdfkjhf:Askjhdfsdf","Category":"None","EventReceivedTime":"2024-07-08 04:43:32","SourceModuleName":"default-inputs","SourceModuleType":"im_msvistalog"}#015

Here is my config

props.conf

[dbtest:test] #mysourcetype
TRANSFORMS-extract_kv_pairs = extract_json_data

transforms.conf

[extract_json_data]

REGEX = "(\w+)":"?([^",}]+)"?

FORMAT = $1::$2

WRITE_META = true

The same Regex is working in Regex101 here is the test link https://regex101.com/r/rt3bly/1

I am not sure why its not working in my log extraction.

Any help is highly appreciated. Thanks

Re: Extract JSON data using transforms

ITWhisperer — Mon, 19 Aug 2024 11:55:56 GMT

In what way is it "not working"? Are you getting some of the fields, none of the fields, it is only working for some of the events, it is not working for only some sort of data? Do you need to escape the double quotes in the regex?

Re: Extract JSON data using transforms

karthikm — Mon, 19 Aug 2024 12:11:04 GMT

I don't see any fields extracted under in the search head.

This config is placed in the heavy forwarder in the same app where the input is mentioned.

Even in the search head Extract Fields tester the Regex just gives a check mark for all the events saying its a valid regex but doesn't display any Events. Assuming $1::$2 will be used to assign the field name and field value.