Hi
I want to extract some JSON fields (ENV,IP,PORT) from an already extracted field (http_cookie). That was not the problem in the Splunk search, but I don't know how to do that at search time. I can do it with the normal field extraction regex, but the json contains about 30-40 fields. Any idea for an "automated" way?
myearch... | rex field=http_cookie mode=sed "s/\"\"/\"/g" | spath input=http_cookie
*the rex is because the json contains "" instead of "
Here is a example of the an event:
"8918237123876","{""ENV"":""PRODUCTION"",""IP"":""10.0.0.1"",""PORT"":""443"",..}","www.somedomaim.com",...
My props & Transforms:
transforms.conf
[myName]
DELIMS = ","
FIELDS = "ID","http_cookie","domain"
props.conf
[mySourcetype]
REPORT-01-myName = myName
Going by the heading of the post, if the auto extraction of ENV, IP, PORT
is required at search time from an already extracted field called http_cookie
then please follow this:
yourBaseQuery to get field http_cookie
| rex mode=sed field=http_cookie "s/\"\"/\"/g"
| rex max_match=0 field=http_cookie "\"ENV\":\"(?<env>[^\"]+)\",\"IP\":\"(?<ip>[^\"]+)\",\"PORT\"\:\"(?<port>[^\"]+)\""
| eval allFields=mvzip(mvzip (env, ip, "~"), port, "~")
| mvexpand allFields
| rex field=allFields "(?<ENV>[^~]+)\~(?<IP>[^~]+)\~(?<PORT>[\S]+)"
| table ENV, IP, PORT
Thanks for your reply but this is not really want i want. The benefit of "spath" is that i don't need to extract every field.
But i see i need to go this way and extract all 30-40 fields with rex.