Getting Data In

How to parse/index only json entry from raw data which are in non-uniform pattern?

Boopalan
New Member

How to parse/index only json entry from raw data which are in non-uniform pattern?

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw=" <BOR>
  ExSrc:Schwab.Client.Fx^
  URL:null^
  LogMsg:{\"actor\":{\"Cust\":null,\"Acct\":null,\"Rep\":null,\"System\":null},\"header\":{\"AppId\":null,\"RecId\":\"null\",\"Ver\":\"\",\"StartTS\":\"null\"},\"source\":{\"Ip\":\"*\",\"MacAddress\":null,\"SRCOS\":\"null\",\"SRCRuntime\":null,\"SRCAppName\":null,\"SRCAppVersion\":null,\"SRCReqId\":\"null\",\"CorrelationId\":\"null\",\"SourceId\":null,\"Uri\":\"null\"}}^
  ExType:Common.Exceptions.ServiceCommunicationException^
  <EOR>" 
| rex "(?<json>(?={).+})" 
| spath input=json 
| table actor* header* source*

Extracting in search, like this.

0 Karma

Boopalan
New Member

Is there anyway to make this possible through configuration changes while parsing/indexing the log file itself

0 Karma

to4kawa
Ultra Champion

sorry, I can't. please ask others.
please tell me why do you want while parsing/indexing the log file itself?
Is collect bad?

0 Karma

Boopalan
New Member

From the below raw data only json need to be extracted/indexed in the splunk and should be viewed as json structured view while searching this logs on search head

<BOR>
ExSrc:Schwab.Client.Fx^
URL:null^
LogMsg:{"actor":{"Cust":null,"Acct":null,"Rep":null,"System":null},"header":{"AppId":null,"RecId":"null","Ver":"","StartTS":"null"},"source":{"Ip":"*","MacAddress":null,"SRCOS":"null","SRCRuntime":null,"SRCAppName":null,"SRCAppVersion":null,"SRCReqId":"null","CorrelationId":"null","SourceId":null,"Uri":"null"}}^
ExType:Common.Exceptions.ServiceCommunicationException^
<EOR>
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...