Solved: How to extract JSON from event data with rex?

robertlabrie · ‎08-07-2014

I get Amazon SES bounce notifications via email. I'm using the IMAP plugin to read that email. Works fine. The email includes a JSON payload in the body of the email. I'm extracting it thusly:

index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "\{(?<json_data>.*)" | eval json_data="{".json_data | spath input=json_data

It works fine, but my Regex-foo is poor and I don't know how to keep the leading brace, which is why I'm re-attaching it with an eval later. It works, but it's ugly and embarrassing. If anyone with Regex skills could take a look, it would help a lot.

Thanks,
Rob

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

View solution in original post

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

How to extract JSON from event data with rex?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to extract JSON from event data with rex?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25