Re: JSON + KV Extraction

himynamesdave · ‎02-16-2017

I have some JSON events, with fields extracted correctly.

Inside the JSON event is a key value dictionary like so

"integrations": ["product=splunk, product_version=6.5, name=splunk"]

The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]

As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too.

How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?

nickhills · ‎02-16-2017

your basesearch |rename 'integrations.product' as product| rename 'integrations.product_version' as product_version|rename 'integrations.name' as name|table product product_version_name

If I understood should sort you out without having to extract fields.

You could add each rename command to a calculated field if you wished which would perform this for you automaticly

If my comment helps, please give it a thumbs up!

rbardonetorian · ‎02-16-2017

Check out rubular.com and have fun yourself.

JSON + KV Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation