All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I index JSON that's embedded in HMTL?

mgagliardi
Path Finder
‎02-10-2017 06:31 AM

I'm querying an endpoint that is returning JSON embedded in HTML. Like so:

<HTML><BODY> <pre id="info">...</pre> &lt;br/&gt; <script>document.getElementById("info").innerHTML = JSON.stringify({"perfInfo":{"processes":79,"threads":1662,"PhysicalAvailable":11717,"PhysicalTotal":16383,"CommitTotal":5856,"CommitLimit":22525,"CommitPeak":7155,"KernelNonpaged":100,"KernelPaged":209,"KernelTotal":310},"sysInfo":{"powerProfile":"7","hostname":"HOSTNAME","Version":"7.5.0.206","UDI":"(01)00853866003209(11)170203(10)7.5.0.206","BootstrapperProfile":"Enterprise - Management","hwProductName":"VMware Virtual Platform","hwBIOSVersion":"6.00","osVersion":"Windows Server 2012 (R2) (6.3 Server build 9600)"},"gpuInfo":{"numGPUs":0},"Sessions":{"available":1,"capacity":1,"assigned":[],"passive":0,"allowingNewConnections":true},"slots":{"totalSlots":1,"availableSlots":1,"passiveSlots":0,"userRamReservedMB":15559,"userRamRemainingMB":13639}}
, null, 4); </script>&lt;br/&gt;</BODY></HTML>

I want just the JSON but I'm having a hell of a time figuring out how to strip away or ignore the HTML. Could anyone offer some pointers? TIA!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 10:23 AM

Configure this in props.conf for your sourcetype:

[your_sourcetype]
SEDCMD-removeHTMLBeginning = s/<HTML>[\s\S]*\(\{/{/g
SEDCMD-removeHTMLEnd = s/\}\}[\s\S]*$/}}/g

That worked for me with your sample response.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 10:23 AM

Configure this in props.conf for your sourcetype:

[your_sourcetype]
SEDCMD-removeHTMLBeginning = s/<HTML>[\s\S]*\(\{/{/g
SEDCMD-removeHTMLEnd = s/\}\}[\s\S]*$/}}/g

That worked for me with your sample response.

0 Karma
Reply
Solved! Jump to solution

mgagliardi
Path Finder
‎02-10-2017 11:21 AM

FWIW your answer works, but I also found that setting an HTTP header of Accept=application/json got me where I wanted to go (via the REST API data source).

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 11:23 AM

Even better! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...