Splunk Search

How to extract JSON fields from an already extracted field at search time?

Path Finder

Hi

I want to extract some JSON fields (ENV,IP,PORT) from an already extracted field (http_cookie). That was not the problem in the Splunk search, but I don't know how to do that at search time. I can do it with the normal field extraction regex, but the json contains about 30-40 fields. Any idea for an "automated" way?

myearch...   | rex field=http_cookie mode=sed "s/\"\"/\"/g" | spath input=http_cookie
*the rex is because the json contains "" instead of "

Here is a example of the an event:

"8918237123876","{""ENV"":""PRODUCTION"",""IP"":""10.0.0.1"",""PORT"":""443"",..}","www.somedomaim.com",...

My props & Transforms:

transforms.conf

[myName]
DELIMS = ","
FIELDS = "ID","http_cookie","domain"

props.conf

[mySourcetype]
REPORT-01-myName = myName
0 Karma

Motivator

Going by the heading of the post, if the auto extraction of ENV, IP, PORT is required at search time from an already extracted field called http_cookie then please follow this:

yourBaseQuery to get field http_cookie
| rex mode=sed field=http_cookie "s/\"\"/\"/g" 
| rex max_match=0 field=http_cookie  "\"ENV\":\"(?<env>[^\"]+)\",\"IP\":\"(?<ip>[^\"]+)\",\"PORT\"\:\"(?<port>[^\"]+)\""
| eval allFields=mvzip(mvzip (env, ip, "~"), port, "~")
| mvexpand allFields
| rex field=allFields "(?<ENV>[^~]+)\~(?<IP>[^~]+)\~(?<PORT>[\S]+)"
| table ENV, IP, PORT
0 Karma

Path Finder

Thanks for your reply but this is not really want i want. The benefit of "spath" is that i don't need to extract every field.

But i see i need to go this way and extract all 30-40 fields with rex.

0 Karma