Solved: Strip leading junk to index json

ntripp_element · ‎07-01-2020

I have some json coming in from syslog and there's a bunch of added junk that's inhibiting the field extraction.

I tried

transforms.conf

[eliminate_header]
REGEX=s/^[^{]+//g
DEST_KEY=queue
FORMAT=nullQueue

and

props.conf

[syslog_cue]
TRANSFORMS-t1=eliminate_header

and a couple other things but can't quite seem to get the outcome I want. Testing the regex works, but isn't helping in the way I need it to.

richgalloway · ‎07-01-2020

Please provide examples of the original data and the desired output. It's almost impossible to solve regex problems without that.

That said, the REGEX line shown is not valid in transforms.conf. Sed commands are not supported so the regex contains unescaped delimiter characters (slashes).

Additionally, FORMAT=nullQueue discards entire events that match the REGEX, not just the text that matches.

You probably want to use SEDCMD in props.conf.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-01-2020

Please provide examples of the original data and the desired output. It's almost impossible to solve regex problems without that.

That said, the REGEX line shown is not valid in transforms.conf. Sed commands are not supported so the regex contains unescaped delimiter characters (slashes).

Additionally, FORMAT=nullQueue discards entire events that match the REGEX, not just the text that matches.

You probably want to use SEDCMD in props.conf.

---
If this reply helps you, Karma would be appreciated.

Strip leading junk to index json

field extraction

index

JSON

props.conf

transforms.conf

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Strip leading junk to index json