Hello! I realize that the question is a bit particular, so I will try to explain through an example.
I am indexing a json that looks like this with escaped characters and leading/trailing quotes:
"{\"data\": {\"essentials\": {\"monitorCondition\": \"Resolved\",\"firedDateTime\": \"2022-09-26T14:56:41.7862462Z\",\"resolvedDateTime\": \"2022-09-26T15:02:47.9852843Z\"}}}"
I need to associated _time to the following statement:
If monitorCondition=Fired then parse firedDateTime as _time, otherwise parse resolvedDateTime as _time.
Since the json is not understood directly by Splunk due to the escaped quotes I am attempting the following:
This is my props.conf so far:
The result is that I can get Splunk to parse the json correctly, but it does not extract the timestamp.
Could anybody give me a push in the right direction?
Thank you and best regards,
Andrew
Put this in your transforms.conf instead of INGEST_EVAL. This regex works off the _raw event example you've provided. Disable the SEDCMD.
REGEX = \x5c\x22monitorCondition\x5c\x22[^\w]*(((Fired)[^\w]*firedDateTime)|(.*resolvedDateTime))[^\w]*(?<timestamp>[\w\d\:\-\.]*)