How to extract a JSON part from an incoming stream...

mlange2007 · ‎09-27-2017

The JSON part to extract is MESSAGES. We created a REGEX which works in the search, but it should be also added permanently to this "transforms.conf" file.

Our solution, which didn't work, is:

[journald_clean_index_k8s]
REGEX=MESSAGE\":\"(?.*)\"
DEST_KEY = MetaData:Message
FORMAT= message:$1

DalJeanis · ‎09-28-2017

First, us there a particular reason you are wanting message to be a metadata field? I believe it can be as simple as this...

 [journald_clean_index_k8s]
 REGEX=^.*MESSAGE\":\"(?[^\"]*)\"
 FORMAT= Message::$1

...or even...

 [journald_clean_index_k8s]
 REGEX=^.*MESSAGE\":\"(?<Message>[^\"]*)\"

Updated to add a simpler version, and to use [^\"]* instead of .* to avoid backtracking.

Refer to this one for a little more instruction, including more steps if you want it indexed: https://answers.splunk.com/answers/171148/how-to-write-regex-to-extract-and-index-a-field-en.html

Second, do you want index time or search time extraction?

Here's some discussion about those considerations:

https://answers.splunk.com/answers/396276/should-i-use-an-index-time-field-extraction.html
https://answers.splunk.com/answers/234011/index-time-field-extraction-regexp-issue.html

How to extract a JSON part from an incoming stream from journald to output only one value with /opt/splunk/etc/slave-apps/_cluster/local/transforms.conf

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to extract a JSON part from an incoming stream from journald to output only one value with /opt/splunk/etc/slave-apps/_cluster/local/transforms.conf

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES