Getting Data In

How to extract fields from child node

michael_wong
Path Finder

Hi

I am getting the log from json-like data, Splunk can handle it very well.

But the problem is I want to extract fields from child node _content_, as it contain the userful information, like command, user, PWD. Can this done by edit props.conf?

RAW:

{"__topic__": "", "__source__": "10.189.0.0", "__tag__:__pack_id__": "368845338C122456-6C49", "__tag__:__hostname__": "iz1hl01da6dz8v4uga8hytz", "__tag__:__receive_time__": "1614067931", "_content_": "alisvc : TTY=pts/0 ; PWD=/home/alisvc ; USER=root ; COMMAND=/bin/su - root", "_program_": "sudo", "_priority_": "85", "_facility_": "10", "_severity_": "5", "_unixtimestamp_": "1614067931000000000", "_hostname_": "iz1hl01da6dz8v4", "_ip_": "10.189.0.0"}

Splunk search   

__source__: 10.189.0.0
   __tag__:__hostname__: iz1hl01da6dz8v4
   __tag__:__pack_id__: 368845338C122456-6C49
   __tag__:__receive_time__: 1614067931
   __topic__:
   _content_: alisvc : TTY=pts/0 ; PWD=/home/alisvc ; USER=root ; COMMAND=/bin/su - root
   _facility_: 10
   _hostname_: iz1hl01da6dz8v4
   _ip_: 10.189.0.0
   _priority_: 85
   _program_: sudo
   _severity_: 5
   _unixtimestamp_: 1614067931000000000

 

Any help provided it would be really appreciated.
Thanks!

Labels (1)
0 Karma
1 Solution

venkatasri
Motivator

Hi,

Splunk extracts the JSON fields automatically if it is well-formed.  In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.

Your fields would be,

content_

hostname_

etc..

You can use inline regex as following to extract KV pairs in content_ field .

index=test source="test_json"  sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val

Please note in your case source index and sourcetype differs.

--------------------------------

upvote if it helps!

 

View solution in original post

0 Karma

venkatasri
Motivator

Hi,

Splunk extracts the JSON fields automatically if it is well-formed.  In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.

Your fields would be,

content_

hostname_

etc..

You can use inline regex as following to extract KV pairs in content_ field .

index=test source="test_json"  sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val

Please note in your case source index and sourcetype differs.

--------------------------------

upvote if it helps!

 

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.