Re: Splunk HEC extract value incorrect when there ...

cdp_fap · ‎05-11-2020

Using HTTP Event Collector to receier data. When there is unwanted curly brace(s) in value. Event parse incorrect. How can I extract the data when there is {} in the data?

to4kawa · ‎05-11-2020

props.conf

SEDCMD-trim = s/{(.*)}/\1/g s/=([^\"].*?)(,|$)/="\1"\2/g

cdp_fap · ‎05-11-2020

I receiver data via SPLUNK HEC, and the {} is in data, not in the filed name.

to4kawa · ‎05-11-2020

well, Is it JSON format?

cdp_fap · ‎05-11-2020

Yes JSON fomat. something like: {key1=value1, key2=value2,....key3="xxxx{yyyyy", keyn1=valuen1}. The curly brace in value3 will result incorrect event parse.

to4kawa · ‎05-11-2020

please provide actual log. (PII data masking)

your log looks like non-valid JSON.

reference: https://www.json.org/json-en.html

cdp_fap · ‎05-11-2020

{RCD=MC, ASID=006F, TIMESTAMP=20132 07.04.48.140 -0400, SMFID=MYSSTEM , TEXT=" +This is a control {line FAPFENG} This is the last message line", path=SYSLOG, timezone=-0400, sourcetype=SYSLOG-logmsg, system=XY}

to4kawa · ‎05-11-2020

TIMESTAMP=20132 07.04.48.140 -0400 really?
how about my updated answer?

Splunk HEC extract value incorrect when there is curly braces in value of key-value pairs.

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Splunk HEC extract value incorrect when there is curly braces in value of key-value pairs.

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES