Re: JSON + KV Extraction

himynamesdave · ‎02-16-2017

I have some JSON events, with fields extracted correctly.

Inside the JSON event is a key value dictionary like so

"integrations": ["product=splunk, product_version=6.5, name=splunk"]

The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]

As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too.

How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?

nickhills · ‎02-16-2017

your basesearch |rename 'integrations.product' as product| rename 'integrations.product_version' as product_version|rename 'integrations.name' as name|table product product_version_name

If I understood should sort you out without having to extract fields.

You could add each rename command to a calculated field if you wished which would perform this for you automaticly

If my comment helps, please give it a thumbs up!

rbardonetorian · ‎02-16-2017

Check out rubular.com and have fun yourself.

JSON + KV Extraction

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

JSON + KV Extraction

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk