Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to extract data into separate fields (from nes...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alexsok
New Member
05-27-2020
01:05 PM
I have this data coming in:
{"endpointType":"MAC","appName":"Tracker","endpointId":"1d11dd05-a8a9-11e9-a74b-873869538d14","ip":"192.168.41.1","endpointName":"tess-mbp.lan","timestampUTC":"2020-05-27T17:07:49Z","userName":"john","type":"FileSystemObserver","hostname":"test.com","userItemId":"rm-71a7812d-9444-11e8-8e37-8b2186626e5a","clientIp":"11.212.222.240","host":"dev.test.com:192.168.48.5","userEmail":"john@test.com","details":"{\"message\":\"{\\\"type\\\":\\\"File\\\", \\\"action\\\":\\\"Renamed\\\", \\\"timestamp\\\":\\\"1590599269\\\", \\\"path\\\":\\\"/Users/john/Library/Application Support/Google/Chrome/Default/Service Worker/CacheStorage/eadf114e35641d8a14aa9648d8e1c01b4b3bb3f0/index.txt\\\", \\\"sysinfo\\\":\\\"{\\\"ItemRenamed\\\",\\\"ItemIsFile\\\"}\\\"}\"}","authType":"MEMBER_ENDPOINT","requestSignature":"POST_/v3/report","epochTime":"1590599269","user-agent":"RR Endpoint/ag-2.10.1.797 (Darwin; 19.4.0; x86_64; tests-mbp.lan; 78:4f:41:7e:e1:06)"}
Data from details is not getting extracted. I need to get all data from details in separate fields, like:
type: File
action: Renamed
path: Users/john.........
sysinfo:
ItemRenamed:
If someone could help, it would be very appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-28-2020
03:33 PM
your search
| table details
| spath input=details
| rex field=message "sysinfo\":\"(?<sysinfos>.*})\""
| spath input=message
| rename sysinfos as sysinfo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-28-2020
03:33 PM
your search
| table details
| spath input=details
| rex field=message "sysinfo\":\"(?<sysinfos>.*})\""
| spath input=message
| rename sysinfos as sysinfo
Get Updates on the Splunk Community!
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...
Video | Tom’s Smartness Journey Continues
Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
Learn how unique features like ...
