Solved: How to extract fields from child node

michael_wong · ‎02-23-2021

Deleted

venkatasri · ‎03-01-2021

Hi,

Splunk extracts the JSON fields automatically if it is well-formed. In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.

Your fields would be,

content_

hostname_

etc..

You can use inline regex as following to extract KV pairs in content_ field .

index=test source="test_json" sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val

Please note in your case source index and sourcetype differs.

--------------------------------

upvote if it helps!

View solution in original post

venkatasri · ‎03-01-2021

Hi,

Splunk extracts the JSON fields automatically if it is well-formed. In this case json fields are starting with leading _ which will be removed by Splunk when automatically extract the fields.

Your fields would be,

content_

hostname_

etc..

You can use inline regex as following to extract KV pairs in content_ field .

index=test source="test_json" sourcetype="test_new"
| rex field=content_ "TTY=(?<tty_val>[^;]+);\s+PWD=(?<pwd_val>[^;]+);\s+USER=(?<user_val>[^;]+);\s+COMMAND=(?<command_val>[^;]+)"
| table tty_val pwd_val user_val command_val

Please note in your case source index and sourcetype differs.

--------------------------------

upvote if it helps!

How to extract fields from child node

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation