Solved: Re: Remove event prefix from JSON using SEDCMD in ...

iamsplunker · ‎09-11-2023

Hi Splunk community,

I've JSON logs and I wanted to remove the prefix from the events and capture from {"successfulSetoflog
until AZURE API Health Event"}

Sample Event:

2020-02-10T17:42:41.088Z 775ab4c6-ccc3-600b-9c84-124320628f00 {"records": [{"value": {"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}}]}

The expected output would be

{"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

View solution in original post

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

How to Remove event prefix from JSON using SEDCMD in props.conf?

metadata

regex

rex

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?