Hi
I am getting the log from json-like data, Splunk can handle it very well.
But the problem is I want to extract fields from child node _content_, as it contain the userful information, like command, user, PWD. Can this done by edit props.conf?
RAW:
{"__topic__": "", "__source__": "10.189.0.0", "__tag__:__pack_id__": "368845338C122456-6C49", "__tag__:__hostname__": "iz1hl01da6dz8v4uga8hytz", "__tag__:__receive_time__": "1614067931", "_content_": "alisvc : TTY=pts/0 ; PWD=/home/alisvc ; USER=root ; COMMAND=/bin/su - root", "_program_": "sudo", "_priority_": "85", "_facility_": "10", "_severity_": "5", "_unixtimestamp_": "1614067931000000000", "_hostname_": "iz1hl01da6dz8v4", "_ip_": "10.189.0.0"}
Splunk search
__source__: 10.189.0.0
__tag__:__hostname__: iz1hl01da6dz8v4
__tag__:__pack_id__: 368845338C122456-6C49
__tag__:__receive_time__: 1614067931
__topic__:
_content_: alisvc : TTY=pts/0 ; PWD=/home/alisvc ; USER=root ; COMMAND=/bin/su - root
_facility_: 10
_hostname_: iz1hl01da6dz8v4
_ip_: 10.189.0.0
_priority_: 85
_program_: sudo
_severity_: 5
_unixtimestamp_: 1614067931000000000
Any help provided it would be really appreciated.
Thanks!
Hi,
Splunk extracts the JSON fields automatically if it is well-formed. In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.
Your fields would be,
content_
hostname_
etc..
You can use inline regex as following to extract KV pairs in content_ field .
index=test source="test_json" sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val
Please note in your case source index and sourcetype differs.
--------------------------------
upvote if it helps!
Hi,
Splunk extracts the JSON fields automatically if it is well-formed. In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.
Your fields would be,
content_
hostname_
etc..
You can use inline regex as following to extract KV pairs in content_ field .
index=test source="test_json" sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val
Please note in your case source index and sourcetype differs.
--------------------------------
upvote if it helps!