Splunk Dev

How to remove header to have only json element

mah
Builder

Hi, 

I have a log like this :

2021-09-01T07:25:12.314Z id-xxx-xxx-xxx STATE {"Id":"id-xxx-xxx-xxx","timestamp":"2021-09-01T07:25:12.145Z","sourceType":"my_sourcetype","source":"source_name","Type":"my_type","event":{"field":"my_field"},"time":169,"category":"XXX"}

My props.conf is like that :

[extract_json]
TRUNCATE = 999999

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_PREFIX=timestamp:
MAX_TIMESTAMP_LOOKAHEAD=10000
BREAK_ONLY_BEFORE ={$
MUST_BREAK_AFTER=}$

SEDCMD-remove-header = s/^[0-9T\:Z]*.*\s*{/{/g

My issue is that I need to extract only the json element from my logs but with those parameters from my props I get a bad extraction : the end of my json ( {"field":"my_field"},"time":169,"category":"XXX"} ) goes to an other event line and is not in json.

I have children brackets into parent bracket and I think my SEDCMD is not correct.

I would have the entire json element in one event. 

Can you help me please ?

Thank you !

Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g
0 Karma

mah
Builder

Hi @ITWhisperer 

It seems to work  great ! 

Thanks a lot !

0 Karma
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...