Problem formatting string to json

trem124 · ‎11-10-2020

Hi,

I have the following String that is logged by the application and I am wondering if there is a way to pretty print it just like the rest of the logs.

Here is the raw data :

{"timestamp":"2020-11-10T15:27:02.187Z","level":"INFO","thread":"main","logger":"ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer","message":"{\"code\": \"CODE\",\"text\":null,\"origin\":null,\"rule\": \"RULE\"}","context":"default"}

I guess it has something to do with the characters being escaped but I did not find anything that got it to work properly.

I would like to have something like :

{
"timestamp": "2020-11-09T20:54:57.245Z",
"level": "INFO",
"thread": "main",
"logger": "ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer",
"message": {
"code": "CODE",
"text": null,
"origin": null,
"rule": "RULE"},
"context": "default"
}

Thanks

ITWhisperer · ‎11-10-2020

| makeresults | eval _raw="{\"timestamp\":\"2020-11-10T15:27:02.187Z\",\"level\":\"INFO\",\"thread\":\"main\",\"logger\":\"ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer\",\"message\":\"{\\\"code\\\": \\\"CODE\\\",\\\"text\\\":null,\\\"origin\\\":null,\\\"rule\\\": \\\"RULE\\\"}\",\"context\":\"default\"}"
| rex mode=sed "s/\{/{\n/g s/,/,\n/g s/\n(?=\\\)/\n  /g s/\\\//g s/\}(?!\")/\n}/g s/\"\{/{/g s/\}\"/}/g"
| table _raw

Problem formatting string to json

field extraction

fields

lookup

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

Problem formatting string to json

field extraction

fields

lookup

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud