Splunk Search

How to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX?

neerajs_81
Builder

Hello,  Can someone pls guide how to extract a multi value field called "GroupName" from my JSON data via the Field extractor IFX.  The different values are seperated by ",\" as you can see in the raw events.  By default it only extracts the 1st value - .

Raw events:

 

{"LogTimestamp": "Mon May 30 06:27:07 2022",[],"SAMLAttributes": "{\"FirstName\":[\"John\"],\"LastName\":[\"Doe\"],\"Email\":[\"John.doe@mycompany.com\"],\"DepartmentName\":[\"Group1-AVALON\"],\"GroupName\":[\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"],\"userAccount\":[\"Full Time\"]

 

 
Regex generated by the IFX causes GroupName to have only 1 value: "ZPA_Vendor_Azure_All".

I want it to display the other values also such as : Zscaler Proxy Users , NewRelic_FullUser , jira-users , AWS-SSO-lstech-viewonly-users, All Workers   .

The end of the different values of GroupName field is just before the "userAccount" field.

Hope i am clear

Labels (2)
Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

With the string value GroupNames - do not drop the outer quotation marks; they help simplify the next step.  (Alternatively, drop all of those escaped quotation marks.)  Say, you have a value like 

\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"

the next filter would be to split them and some cleanup.

| eval GroupName = split(replace(GroupNames, "\\\\\"", ""), ",")

This particular method doesn't care whether the outer quotation marks are dropped or not.  But it is easier to troubleshoot if those marks are in place.

View solution in original post

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you really, really, really want to use regex to handle  this, you can extract the entire GroupName field as one string, then handle that string afterward, e.g.,

\\"GroupName\\":\[(?<GroupNames>[^\]]+)

But  really, structured data is best extracted using Splunk's builtin functions.  If the complete body of raw event is in JSON, the source type should be set to a JSON type, for example.  If the JSON is just part of an unstructured message, use kv_mode=json (c.f., Configure automatic key-value field extraction) in props.conf or spath in SPL.

neerajs_81
Builder

Hello,  I have extracted the entire GroupName field as one string for now.  Can you pls advise how to handle it further ?  I want it split further to show the different values and exclude characters like \" from the values.

Currently it shows value as below:

ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers


How can i get it to show like this ?  Basically GroupName will b a multi value field.

ZPA_Vendor_Azure_All
Zscaler Proxy Users
NewRelic_FullUser
jira-users
All Workers

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

With the string value GroupNames - do not drop the outer quotation marks; they help simplify the next step.  (Alternatively, drop all of those escaped quotation marks.)  Say, you have a value like 

\"ZPA_Vendor_Azure_All\",\"Zscaler Proxy Users\",\"NewRelic_FullUser\",\"jira-users\",\"AWS-SSO-lstech-viewonly-users\",\"All Workers\"

the next filter would be to split them and some cleanup.

| eval GroupName = split(replace(GroupNames, "\\\\\"", ""), ",")

This particular method doesn't care whether the outer quotation marks are dropped or not.  But it is easier to troubleshoot if those marks are in place.

Tags (1)
0 Karma

neerajs_81
Builder

Thank you.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...