Solved: How to extract JSON from event data with rex?

robertlabrie · ‎08-07-2014

I get Amazon SES bounce notifications via email. I'm using the IMAP plugin to read that email. Works fine. The email includes a JSON payload in the body of the email. I'm extracting it thusly:

index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "\{(?<json_data>.*)" | eval json_data="{".json_data | spath input=json_data

It works fine, but my Regex-foo is poor and I don't know how to keep the leading brace, which is why I'm re-attaching it with an eval later. It works, but it's ugly and embarrassing. If anyone with Regex skills could take a look, it would help a lot.

Thanks,
Rob

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

View solution in original post

somesoni2 · ‎08-07-2014

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

How to extract JSON from event data with rex?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to extract JSON from event data with rex?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits