Re: Splunk HEC extract value incorrect when there ... - Splunk Community

Getting Data In

Using HTTP Event Collector to receier data. When there is unwanted curly brace(s) in value. Event parse incorrect. How can I extract the data when there is {} in the data?

props.conf

SEDCMD-trim = s/{(.*)}/\1/g s/=([^\"].*?)(,|$)/="\1"\2/g

I receiver data via SPLUNK HEC, and the {} is in data, not in the filed name.

well, Is it JSON format?

Yes JSON fomat. something like: {key1=value1, key2=value2,....key3="xxxx{yyyyy", keyn1=valuen1}. The curly brace in value3 will result incorrect event parse.

please provide actual log. (PII data masking)

your log looks like non-valid JSON.

reference: https://www.json.org/json-en.html

{RCD=MC, ASID=006F, TIMESTAMP=20132 07.04.48.140 -0400, SMFID=MYSSTEM , TEXT=" +This is a control {line FAPFENG} This is the last message line", path=SYSLOG, timezone=-0400, sourcetype=SYSLOG-logmsg, system=XY}

TIMESTAMP=20132 07.04.48.140 -0400 really?
how about my updated answer?

Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...