Need to remove prefix from json array.

vin02ptl · ‎05-15-2020

Need to remove prefix from json array. I want to remove everything before {"id"

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[{"id"

to4kawa · ‎05-16-2020

props.conf

[odata]
CHARSET=UTF-8
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTION = none
KV_MODE = json
LINE_BREAKER = (.*:\[){\"id|}(,)|(\]})
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false

please modify DATETIME_CONFIG

If you don't present your log properly(you should use code sample), you can't expect a response.

gcusello · ‎05-15-2020

Hi @vin02ptl,
please, could you share an example of your logs?
Anyway, I solved this problem with this regex:

| rex "[^\{]*(?<all>.*)"

Ciao.
Giuseppe

vin02ptl · ‎05-15-2020

how to write in props.conf

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[]}
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[]}
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#auditLogs/directoryAudits","value":[{"id":"B2Cxx","catego...}

vin02ptl · ‎05-15-2020

@gcusello please have a look and advice

gcusello · ‎05-15-2020

Hi @vin02ptl,
Thy this regex

\"id\":\"(?<id>[^\"]+)\",\"category\":\"(?<category>[^\"]+)\",\"correlationId\":(?<correlationId>[^\"]+),\"activityDateTime\":\"(?<activityDateTime>[^\"]+)

that you can test at https://regex101.com/r/StogWZ/1

Ciao.
Giuseppe

vin02ptl · ‎05-15-2020

i just want to remove header part during indexing remaining parsing field regex i can write....

Need to remove prefix from json array.

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!