Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract JSON from event data with rex?

robertlabrie
Path Finder
‎08-07-2014 09:34 AM

I get Amazon SES bounce notifications via email. I'm using the IMAP plugin to read that email. Works fine. The email includes a JSON payload in the body of the email. I'm extracting it thusly:

index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "\{(?<json_data>.*)" | eval json_data="{".json_data | spath input=json_data

It works fine, but my Regex-foo is poor and I don't know how to keep the leading brace, which is why I'm re-attaching it with an eval later. It works, but it's ugly and embarrassing. If anyone with Regex skills could take a look, it would help a lot.

Thanks,
Rob

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-07-2014 10:24 AM

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-07-2014 10:24 AM

Try this

 index=mail "notificationType\":\"Bounce\",\"bounce" |  rex "(?<json_data>\{.*)" | spath input=json_data
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...