Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Additional fields extraction from json data

RSS_STT
Explorer
‎10-29-2023 10:18 PM

I have field CI extracted from json payload 

{
"Name": "zSeries",
"Severity":5,
"Category":"EVENT",
"SubCategory":"Service issues - Unspecified",
"TStatus": "OPEN",
"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"Component": "iphone"
}

Further, i want the CI field value extracted using DELIMS = ";". I have created below props & transforms configuration but not working.


[source::cluster_test]
REPORT-fields = ci-extraction


[ci-extraction]
SOURCE_KEY = CI
DELIMS = ";"
FIELDS = CI_V2,CI_1,CI_2,CI_3,CI_4,CI_5

Any help highly appreciated.

 

Labels (3)
0 Karma
Reply

RSS_STT
Explorer
‎10-30-2023 12:25 AM

CI filed values won't be constant. Sometime it can contain 3 value, sometime 4 or 5 value with semicolon separated.

But 1st word in CI filed is fix that is V2. How can we handle that with inline rex or with props.

Example:

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",

"CI": "V2;Y;Linx;srv048",

"CI": "V2;LX;apple;rose;server",

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 01:02 AM

Hi @RSS_STT ,

please try this:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);(?<CI_3>[^;\"]*);(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)"

Ciao.

Giuseppe

0 Karma
Reply

RSS_STT
Explorer
‎10-30-2023 01:29 AM

It's not working..

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 01:38 AM

Hi @RSS_STT ,

please try this regex:

(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/2

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 12:26 AM

Hi @RSS_STT ,

sorry! I was focused on the other fields and I forrgot the start of the string, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/3

Ciao.

Giuseppe

0 Karma
Reply

RSS_STT
Explorer
‎10-31-2023 11:48 PM

CI_5 field extraction is not proper. As of now all last values (C,srv048 & server) are going into CI_5 which is not correct.

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"CI": "V2;Y;Linx;srv048",
"CI": "V2;LX;apple;rose;server",

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-01-2023 02:24 AM

Hi @RSS_STT,

sorry I forgor one asterisk, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);*(?<CI_5>[^;\"]*)

that you can test at https://regex101.com/r/fndJqR/4

Ciao.

Giuseppe

Reply

RSS_STT
Explorer
‎10-30-2023 10:56 PM

Seems to be working for rest of fields by not for CI_V2.

Creating field value CI_V2="CI": "V2 . it should be CI_V2 = V2.

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-30-2023 12:12 AM

@RSS_STT 

You can also try adding this in props.conf.

[cluster_test]
EXTRACT-fields = "CI":\s"(?<CI_V2>.*)\;(?<CI_1>.*)\;(?<CI_2>.*)\;(?<CI_3>.*)\;(?<CI_4>.*)\;(?<CI_5>.*)\",

 

Screenshot 2023-10-30 at 12.41.56 PM.png

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-29-2023 11:56 PM

Hi @RSS_STT,

I cannot debug your fields extraction without accessing your system, but you could use a regex:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

or 

| rex field=CI "(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

that you can test at https://regex101.com/r/fndJqR/1

Ciao.

Giuseppe

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...