Solved: How to remove header to have only json element

mah · ‎09-01-2021

Hi,

I have a log like this :

2021-09-01T07:25:12.314Z id-xxx-xxx-xxx STATE {"Id":"id-xxx-xxx-xxx","timestamp":"2021-09-01T07:25:12.145Z","sourceType":"my_sourcetype","source":"source_name","Type":"my_type","event":{"field":"my_field"},"time":169,"category":"XXX"}

My props.conf is like that :

[extract_json]
TRUNCATE = 999999

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_PREFIX=timestamp:
MAX_TIMESTAMP_LOOKAHEAD=10000
BREAK_ONLY_BEFORE ={$
MUST_BREAK_AFTER=}$

SEDCMD-remove-header = s/^[0-9T\:Z]*.*\s*{/{/g

My issue is that I need to extract only the json element from my logs but with those parameters from my props I get a bad extraction : the end of my json ( {"field":"my_field"},"time":169,"category":"XXX"} ) goes to an other event line and is not in json.

I have children brackets into parent bracket and I think my SEDCMD is not correct.

I would have the entire json element in one event.

Can you help me please ?

Thank you !

ITWhisperer · ‎09-01-2021

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g

View solution in original post

ITWhisperer · ‎09-01-2021

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g

mah · ‎09-01-2021

Hi @ITWhisperer

It seems to work great !

Thanks a lot !

How to remove header to have only json element

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

How to remove header to have only json element

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple