How to extract JSON fields from an already extract...

ColinCH · ‎11-08-2016

Hi

I want to extract some JSON fields (ENV,IP,PORT) from an already extracted field (http_cookie). That was not the problem in the Splunk search, but I don't know how to do that at search time. I can do it with the normal field extraction regex, but the json contains about 30-40 fields. Any idea for an "automated" way?

myearch...   | rex field=http_cookie mode=sed "s/\"\"/\"/g" | spath input=http_cookie
*the rex is because the json contains "" instead of "

Here is a example of the an event:

"8918237123876","{""ENV"":""PRODUCTION"",""IP"":""10.0.0.1"",""PORT"":""443"",..}","www.somedomaim.com",...

My props & Transforms:

transforms.conf

[myName]
DELIMS = ","
FIELDS = "ID","http_cookie","domain"

props.conf

[mySourcetype]
REPORT-01-myName = myName

gokadroid · ‎11-08-2016

Going by the heading of the post, if the auto extraction of ENV, IP, PORT is required at search time from an already extracted field called http_cookie then please follow this:

yourBaseQuery to get field http_cookie
| rex mode=sed field=http_cookie "s/\"\"/\"/g" 
| rex max_match=0 field=http_cookie  "\"ENV\":\"(?<env>[^\"]+)\",\"IP\":\"(?<ip>[^\"]+)\",\"PORT\"\:\"(?<port>[^\"]+)\""
| eval allFields=mvzip(mvzip (env, ip, "~"), port, "~")
| mvexpand allFields
| rex field=allFields "(?<ENV>[^~]+)\~(?<IP>[^~]+)\~(?<PORT>[\S]+)"
| table ENV, IP, PORT

ColinCH · ‎11-09-2016

Thanks for your reply but this is not really want i want. The benefit of "spath" is that i don't need to extract every field.

But i see i need to go this way and extract all 30-40 fields with rex.

How to extract JSON fields from an already extracted field at search time?

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today