Solved: How to Remove event prefix from JSON using SEDCMD ...

iamsplunker · ‎09-11-2023

Hi Splunk community,

I've JSON logs and I wanted to remove the prefix from the events and capture from {"successfulSetoflog
until AZURE API Health Event"}

Sample Event:

2020-02-10T17:42:41.088Z 775ab4c6-ccc3-600b-9c84-124320628f00 {"records": [{"value": {"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}}]}

The expected output would be

{"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

View solution in original post

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

How to Remove event prefix from JSON using SEDCMD in props.conf?

metadata

regex

rex

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products