Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JSON + KV Extraction

himynamesdave
Contributor
‎02-16-2017 05:46 AM

I have some JSON events, with fields extracted correctly.

Inside the JSON event is a key value dictionary like so

"integrations": ["product=splunk, product_version=6.5, name=splunk"]

The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]

As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too.

How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?

0 Karma
Reply

nickhills
Ultra Champion
‎02-16-2017 06:32 AM 
your basesearch |rename 'integrations.product' as product| rename 'integrations.product_version' as product_version|rename 'integrations.name' as name|table product product_version_name

If I understood should sort you out without having to extract fields.

You could add each rename command to a calculated field if you wished which would perform this for you automaticly

If my comment helps, please give it a thumbs up!
0 Karma
Reply

rbardonetorian
Path Finder
‎02-16-2017 06:14 AM

Check out rubular.com and have fun yourself.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...