Solved: How to extract JSON from event data with rex?

robertlabrie · ‎08-07-2014

I get Amazon SES bounce notifications via email. I'm using the IMAP plugin to read that email. Works fine. The email includes a JSON payload in the body of the email. I'm extracting it thusly:

index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "\{(?<json_data>.*)" | eval json_data="{".json_data | spath input=json_data

It works fine, but my Regex-foo is poor and I don't know how to keep the leading brace, which is why I'm re-attaching it with an eval later. It works, but it's ugly and embarrassing. If anyone with Regex skills could take a look, it would help a lot.

Thanks,
Rob

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

View solution in original post

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

How to extract JSON from event data with rex?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

Are you a member of the Splunk Community?

How to extract JSON from event data with rex?

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?