Re: JSON + KV Extraction

himynamesdave · ‎02-16-2017

I have some JSON events, with fields extracted correctly.

Inside the JSON event is a key value dictionary like so

"integrations": ["product=splunk, product_version=6.5, name=splunk"]

The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]

As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too.

How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?

nickhills · ‎02-16-2017

your basesearch |rename 'integrations.product' as product| rename 'integrations.product_version' as product_version|rename 'integrations.name' as name|table product product_version_name

If I understood should sort you out without having to extract fields.

You could add each rename command to a calculated field if you wished which would perform this for you automaticly

If my comment helps, please give it a thumbs up!

rbardonetorian · ‎02-16-2017

Check out rubular.com and have fun yourself.

JSON + KV Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation