Need to remove prefix from json array.

vin02ptl · ‎05-15-2020

Need to remove prefix from json array. I want to remove everything before {"id"

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[{"id"

to4kawa · ‎05-16-2020

props.conf

[odata]
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTION = none
KV_MODE = json
LINE_BREAKER = (.*:\[){\"id|}(,)|(\]})
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false

please modify DATETIME_CONFIG

If you don't present your log properly(you should use code sample), you can't expect a response.

gcusello · ‎05-15-2020

Hi @vin02ptl,
please, could you share an example of your logs?
Anyway, I solved this problem with this regex:

| rex "[^\{]*(?<all>.*)"

Ciao.
Giuseppe

vin02ptl · ‎05-15-2020

how to write in props.conf

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[]}
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[]}
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[{"id":"B2Cxx","catego...}

vin02ptl · ‎05-15-2020

@gcusello please have a look and advice

gcusello · ‎05-15-2020

Hi @vin02ptl,
Thy this regex

\"id\":\"(?<id>[^\"]+)\",\"category\":\"(?<category>[^\"]+)\",\"correlationId\":(?<correlationId>[^\"]+),\"activityDateTime\":\"(?<activityDateTime>[^\"]+)

that you can test at https://regex101.com/r/StogWZ/1

Ciao.
Giuseppe

vin02ptl · ‎05-15-2020

i just want to remove header part during indexing remaining parsing field regex i can write....

Need to remove prefix from json array.

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies