Archive
Highlighted

Help with a regex

Builder

I have an event as follows:

Feb 23 15:42:39 10.64.61.104 {"protocol": {"protocol": "ip", "app": "http", "session_id": "CKFoMw2eSzfW8eTgNj", "event_status": "1", "headers_server": "AmazonS3", "transport": "TCP", "dest_port": "43940", "src_port": "8000", "event_id": "58af02768a20561313a6651b", "headers_user-agent": "EventMachine HttpClient", "headers_content-type": "application/octet-stream", "ftype": "gzip", "fname": "f8c860c2da4deae806e1939011f49c37e7feebc8", "sha256": "793dea4ef1ee24b4095ab9ee7a8cd896df26710650cb91a91423125fee960c17", "headers_uri": "/system.asv-pr.ice.predix.io-cc-droplets/4c/82/4c82fe08-01c9-4d3d-a2db-c1f03ef42af4/f8c860c2da4deae806e1939011f49c37e7feebc8?AWSAccessKeyId=cfservices&Signature=pEA2kerBV84E3zSUMTvk6HmIpZc=&Expires=1487868036", "dest": "10.64.37.10", "timestamp": "2017-02-23 15:40:38.911000", "host": "storecf.gecis.io", "user": "UNKNOWN", "headers_host": "storecf.gecis.io", "md5": "2f0467b1d2d304179f28cd7f0c17899c", "src": "10.64.50.105", "dvc": "vna-bv-nw02i"}

Spunk support pointed out that this even it missing a trailing } . The regex I currently have working ^([^{]+)({.+})$ .

This gets me:

{"protocol": {"protocol": "ip", "app": "http", "session_id": "CKFoMw2eSzfW8eTgNj", "event_status": "1", "headers_server": "AmazonS3", "transport": "TCP", "dest_port": "43940", "src_port": "8000", "event_id": "58af02768a20561313a6651b", "headers_user-agent": "EventMachine HttpClient", "headers_content-type": "application/octet-stream", "ftype": "gzip", "fname": "f8c860c2da4deae806e1939011f49c37e7feebc8", "sha256": "793dea4ef1ee24b4095ab9ee7a8cd896df26710650cb91a91423125fee960c17", "headers_uri": "/system.asv-pr.ice.predix.io-cc-droplets/4c/82/4c82fe08-01c9-4d3d-a2db-c1f03ef42af4/f8c860c2da4deae806e1939011f49c37e7feebc8?AWSAccessKeyId=cfservices&Signature=pEA2kerBV84E3zSUMTvk6HmIpZc=&Expires=1487868036", "dest": "10.64.37.10", "timestamp": "2017-02-23 15:40:38.911000", "host": "storecf.gecis.io", "user": "UNKNOWN", "headers_host": "storecf.gecis.io", "md5": "2f0467b1d2d304179f28cd7f0c17899c", "src": "10.64.50.105", "dvc": "vna-bv-nw02i"}

What I need to only get is:

{"protocol": "ip", "app": "http", "session_id": "CKFoMw2eSzfW8eTgNj", "event_status": "1", "headers_server": "AmazonS3", "transport": "TCP", "dest_port": "43940", "src_port": "8000", "event_id": "58af02768a20561313a6651b", "headers_user-agent": "EventMachine HttpClient", "headers_content-type": "application/octet-stream", "ftype": "gzip", "fname": "f8c860c2da4deae806e1939011f49c37e7feebc8", "sha256": "793dea4ef1ee24b4095ab9ee7a8cd896df26710650cb91a91423125fee960c17", "headers_uri": "/system.asv-pr.ice.predix.io-cc-droplets/4c/82/4c82fe08-01c9-4d3d-a2db-c1f03ef42af4/f8c860c2da4deae806e1939011f49c37e7feebc8?AWSAccessKeyId=cfservices&Signature=pEA2kerBV84E3zSUMTvk6HmIpZc=&Expires=1487868036", "dest": "10.64.37.10", "timestamp": "2017-02-23 15:40:38.911000", "host": "storecf.gecis.io", "user": "UNKNOWN", "headers_host": "storecf.gecis.io", "md5": "2f0467b1d2d304179f28cd7f0c17899c", "src": "10.64.50.105", "dvc": "vna-bv-nw02i"}

Being a newb to regex, how do I do this?

Tags (1)
0 Karma

Re: Help with a regex

SplunkTrust
SplunkTrust

Try this

^([^\{]+)\{([^\{]+)(<Jsondata>\{.+\})$
0 Karma
Highlighted

Re: Help with a regex

Esteemed Legend

I am assuming that you don't need the curly-braces either so use this:

([^{]*)}

If you really need the curly-braces, then do this:

({[^{]*})