Splunk Search

Problem formatting string to json

trem124
New Member

Hi,

I have the following String that is logged by the application and I am wondering if there is a way to pretty print it just like the rest of the logs.

Here is the raw data :

{"timestamp":"2020-11-10T15:27:02.187Z","level":"INFO","thread":"main","logger":"ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer","message":"{\"code\": \"CODE\",\"text\":null,\"origin\":null,\"rule\": \"RULE\"}","context":"default"}

I guess it has something to do with the characters being escaped but I did not find anything that got it to work properly.

I would like to have something like : 

{
"timestamp": "2020-11-09T20:54:57.245Z",
"level": "INFO",
"thread": "main",
"logger": "ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer",
"message": {
    "code": "CODE",
    "text": null,
    "origin": null,
    "rule": "RULE"},
"context": "default"
}

 

Thanks

Labels (3)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults | eval _raw="{\"timestamp\":\"2020-11-10T15:27:02.187Z\",\"level\":\"INFO\",\"thread\":\"main\",\"logger\":\"ca.nbc.payment.pmtinternationallibrary.config.MyApplicationContextInitializer\",\"message\":\"{\\\"code\\\": \\\"CODE\\\",\\\"text\\\":null,\\\"origin\\\":null,\\\"rule\\\": \\\"RULE\\\"}\",\"context\":\"default\"}"
| rex mode=sed "s/\{/{\n/g s/,/,\n/g s/\n(?=\\\)/\n  /g s/\\\//g s/\}(?!\")/\n}/g s/\"\{/{/g s/\}\"/}/g"
| table _raw
0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...