Solved: Re: Remove event prefix from JSON using SEDCMD in ...

iamsplunker · ‎09-11-2023

Hi Splunk community,

I've JSON logs and I wanted to remove the prefix from the events and capture from {"successfulSetoflog
until AZURE API Health Event"}

Sample Event:

2020-02-10T17:42:41.088Z 775ab4c6-ccc3-600b-9c84-124320628f00 {"records": [{"value": {"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}}]}

The expected output would be

{"successfulSetoflog": [{"awsAccountId": "123456789123", "event": {"arn": "arn:aws:health:us-east-........................................................ 1}, "detail-case": "AZURE API Health Event"}

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

View solution in original post

iamsplunker · ‎09-11-2023

By applying these settings in props.conf the prefix was removed and events are parsing as expected.

SEDCMD-1=s/^[^\{]+{"records":\s+\[\{"value":\s//

SEDCMD-2=s/}\]\}//

How to Remove event prefix from JSON using SEDCMD in props.conf?

metadata

regex

rex

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?