Splunk Search

How to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX?

neerajs_81
Builder

Hello,  Can someone pls guide how to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX.  The different values are seperated by ",\" as you can see in the raw events.  By default it only extracts the 1st value - .

Raw events:

 

{"LogTimestamp": "Mon May 30 06:27:07 2022",[],"SAMLAttributes": "{\"FirstName\":[\"John\"],\"LastName\":[\"Doe\"],\"Email\":[\"John.doe@mycompany.com\"],\"DepartmentName\":[\"Group1-AVALON\"],\"GroupName\":[\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"],\"userAccount\":[\"Full Time\"]

 

 
Regex generated by the IFX causes GroupName to have only 1 value: "ZPA_Vendor_Azure_All".

I want it to display the other values also such as : Zscaler Proxy Users , NewRelic_FullUser , jira-users , AWS-SSO-lstech-viewonly-users, All Workers   .

The end of the different values of GroupName field is just before the "userAccount" field.

Hope i am clear

Labels (2)
Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

With the string value GroupNames - do not drop the outer quotation marks; they help simplify the next step.  (Alternatively, drop all of those escaped quotation marks.)  Say, you have a value like 

\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"

the next filter would be to split them and some cleanup.

| eval GroupName = split(replace(GroupNames, "\\\\\"", ""), ",")

This particular method doesn't care whether the outer quotation marks are dropped or not.  But it is easier to troubleshoot if those marks are in place.

View solution in original post

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you really, really, really want to use regex to handle  this, you can extract the entire GroupName field as one string, then handle that string afterward, e.g.,

\\"GroupName\\":\[(?<GroupNames>[^\]]+)

But  really, structured data is best extracted using Splunk's builtin functions.  If the complete body of raw event is in JSON, the source type should be set to a JSON type, for example.  If the JSON is just part of an unstructured message, use kv_mode=json (c.f., Configure automatic key-value field extraction) in props.conf or spath in SPL.

neerajs_81
Builder

Hello,  I have extracted the entire GroupName field as one string for now.  Can you pls advise how to handle it further ?  I want it split further to show the different values and exclude characters like \" from the values.

Currently it shows value as below:

ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers


How can i get it to show like this ?  Basically GroupName will b a multi value field.

ZPA_Vendor_Azure_All
Zscaler Proxy Users
NewRelic_FullUser
jira-users
All Workers

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

With the string value GroupNames - do not drop the outer quotation marks; they help simplify the next step.  (Alternatively, drop all of those escaped quotation marks.)  Say, you have a value like 

\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"

the next filter would be to split them and some cleanup.

| eval GroupName = split(replace(GroupNames, "\\\\\"", ""), ",")

This particular method doesn't care whether the outer quotation marks are dropped or not.  But it is easier to troubleshoot if those marks are in place.

Tags (1)
0 Karma

neerajs_81
Builder

Thank you.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...