Re: How to parse/index only json entry from raw da...

Boopalan · ‎01-26-2020

How to parse/index only json entry from raw data which are in non-uniform pattern?

to4kawa · ‎01-26-2020

| makeresults 
| eval _raw=" <BOR>
  ExSrc:Schwab.Client.Fx^
  URL:null^
  LogMsg:{\"actor\":{\"Cust\":null,\"Acct\":null,\"Rep\":null,\"System\":null},\"header\":{\"AppId\":null,\"RecId\":\"null\",\"Ver\":\"\",\"StartTS\":\"null\"},\"source\":{\"Ip\":\"*\",\"MacAddress\":null,\"SRCOS\":\"null\",\"SRCRuntime\":null,\"SRCAppName\":null,\"SRCAppVersion\":null,\"SRCReqId\":\"null\",\"CorrelationId\":\"null\",\"SourceId\":null,\"Uri\":\"null\"}}^
  ExType:Common.Exceptions.ServiceCommunicationException^
  <EOR>" 
| rex "(?<json>(?={).+})" 
| spath input=json 
| table actor* header* source*

Extracting in search, like this.

Boopalan · ‎01-26-2020

Is there anyway to make this possible through configuration changes while parsing/indexing the log file itself

to4kawa · ‎01-27-2020

sorry, I can't. please ask others.
please tell me why do you want while parsing/indexing the log file itself?
Is collect bad?

Boopalan · ‎01-26-2020

From the below raw data only json need to be extracted/indexed in the splunk and should be viewed as json structured view while searching this logs on search head

<BOR>
ExSrc:Schwab.Client.Fx^
URL:null^
LogMsg:{"actor":{"Cust":null,"Acct":null,"Rep":null,"System":null},"header":{"AppId":null,"RecId":"null","Ver":"","StartTS":"null"},"source":{"Ip":"*","MacAddress":null,"SRCOS":"null","SRCRuntime":null,"SRCAppName":null,"SRCAppVersion":null,"SRCReqId":"null","CorrelationId":"null","SourceId":null,"Uri":"null"}}^
ExType:Common.Exceptions.ServiceCommunicationException^
<EOR>

How to parse/index only json entry from raw data which are in non-uniform pattern?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application