Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How to create regex for Array of objects while cre...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nagendraDumpala
Engager
06-23-2020
12:04 PM
We have an object like below.
{ "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "MARKETING", "compress": false, "appName": "dev-sys-netsuite-int-v1", "relational_correlationId": "c96563d1-acb3-11ea-9d9b-0654f1d3f281", "tracePointDescription": "Capture payload", "threadName": "[MuleRuntime].cpuLight.13: [adaptive-logger-test].adaptive-loggerFlow.CPU_LITE @6dbce5f9", "content": { "exception": "", "payload": "https://s3.console.aws.amazon.com/s3/object/unilever-ai-operationalframework/LEVEREDGE/prod/dispatch...", "businessFields": [ { "key": "File_Name", "value": "ASN_200622170087026.xml" }, { "key": "IDOC_NAME", "value": "0000001408187026" } ], "category": "org.unilever.apps.adaptiveloggertest" }, "environment": "TJ-MARKETING-Dev", "LogMessage": "Test-TJ-SCHED", "correlationId": "c98f8110-acb3-11ea-9d9b-0654f1d3f281", "interfaceName": "netsuite-salesapi", "tracePoint": "START", "timestamp": "2020-12-06T13:59:21.133Z" }
Now we need to create a regex for matching the key & value from businessFields array. And the values of "key" , "value" should be stored as multi-value fields. we need to use this regex in transforms.conf for creating indexed-fields.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Birbal
Engager
06-23-2020
12:42 PM
Have you already tried applying INDEXED_EXTRACTIONS=JSON in your props.conf at your universal forwarder level (or wherever the input is configured)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Birbal
Engager
06-23-2020
12:42 PM
Have you already tried applying INDEXED_EXTRACTIONS=JSON in your props.conf at your universal forwarder level (or wherever the input is configured)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nagendraDumpala
Engager
06-23-2020
11:26 PM
Hi Birbal,
Thank you so much for your support. Your suggestion make my job very cool.
Get Updates on the Splunk Community!
Enhance Your Splunk App Development: New Tools & Support
UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
