Solved: How do I extract fields from a json object (serial...

arungeorge09 · ‎11-16-2014

Sample data:

<167>1 2014-11-15T16:45:44.542-07:00 host.name.com neat 11151 gcm [meta@28281 sequenceId="43096" sysUpTime="858744854"][analytics@28281 event="pushGcm" platform="GCM" outcome="0" errorCode="0" errorDesc="Push to apns success" errorContext="TCP-SSL" operation="PUSH_GCM" opTime="46" startTime="1416095144542" appId="appId" deviceToken="token" args="{\"time\":\"1416095144194\",\"batch\":\"26966\",\"tms_id\":\"tmsid\",\"src\":\"src\"}" txId="907472412"]

I want to extract the args and put it back in its appropriate fields . I know I can use Field Extractions and Field transformations but not working.

Field Transformation
Name:NEAT_BATCH

Rex: batch\\\\\":\\\\\"(?.*?)\\\\\",

Field Extraction
Name:NEAT_BATCH

tom_frotscher · ‎11-17-2014

Hi,
try it with this regular expression for the batch field:

\\\"batch\\":\\"(?<batch>\d+)\\"

Greetings

Tom

View solution in original post

tom_frotscher · ‎11-17-2014

Hi,
try it with this regular expression for the batch field:

\\\"batch\\":\\"(?<batch>\d+)\\"

Greetings

Tom

arungeorge09 · ‎11-17-2014

Worked. Thanks Tom. Why does not it work with my regexp . Can you explain

tom_frotscher · ‎11-17-2014

Your regex didn't match. there are way to much "\" symbols in your regex and i think also your group definition "(?.*?)" is syntactically wrong.

How do I extract fields from a json object (serialized) and put it back to splunk index?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application