How to parse a field that has flat log text and in...

brent_weaver · ‎02-14-2017

Need some help here. I have the following event:

Feb 14 14:40:01 10.64.61.104 {"protocol": {"protocol": "ip", "app": "http", "session_id": "CzbhnXwfgz1jyPljh", "event_status": "1", "headers_server": "AmazonS3", "transport": "TCP", "dest_port": "50320", "src_port": "80", "event_id": "58a316458a2056136296f1e1", "headers_user-agent": "EventMachine HttpClient", "headers_content-type": "application/zip", "ftype": "gzip", "fname": "cflinuxfs2", "sha256": "db1b2669c46e93c60058e7dd0629c7e609f07bb158e94c8ee0451d2e0774fe7f", "headers_uri": "/system.asv-pr.ice.predix.io-cc-droplets/buildpack_cache/bf/17/bf178b85-8904-4bb6-b022-418e80a28da4/cflinuxfs2?AWSAccessKeyId=cfservices&Signature=FGAHR74Jeg0CeKUSqIXT3rSNitw=&Expires=1487086672", "dest": "10.131.16.223", "timestamp": "2017-02-14 14:37:57.012000", "host": "storecf.gecis.io", "user": "UNKNOWN", "headers_host": "storecf.gecis.io", "md5": "7c6f3b66919b7b8927f684e6d8782489", "src": "10.64.37.22", "dvc": "vna-bv-nw02i"}

I would like to be able to parse out the JSON which should make it into key/value pairs if I am not mistaken. How is this accomplished?

Thanks!

skoelpin · ‎02-14-2017

You should set kv_mode = json in your props.conf

Don't forget to restart the Splunk service after

http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Propsconf

somesoni2 · ‎02-14-2017

You can use following do this inline at search time.

your base search | rex "^(\S+\s+){4}(?<json_data>.+)" | spath input=json_data

brent_weaver · ‎02-14-2017

How do I adapt that to my props and transforms?

How to parse a field that has flat log text and in JSON format?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?