RegEx to Parse Field Containing Json Format

ahaveles · ‎04-15-2020

I am attempting to parse logs that contain fields similar to the example below. Field name being ValidFilterColumns, which contains an json format of these objects containing key/value pairs for Id and Name.

ValidFilterColumns="[{"Id":"124","Name":"OrderId"},{"Id":"25","Name":"AssetClass"},{"Id":"123","Name":"Custodian"},{"Id":"13","Name":"Country"},{"Id":"1","Name":"Symbol"}]"

My question is, how could I compose a RegEx that parses out the Ids and Names of each object in the array?

Also as a note: I have tried making the fields extracted fields, but they will only function properly if another log's field contains the same number of objects.

to4kawa · ‎04-15-2020

| makeresults
| eval _raw="ValidFilterColumns=\"[{\"Id\":\"124\",\"Name\":\"OrderId\"},{\"Id\":\"25\",\"Name\":\"AssetClass\"},{\"Id\":\"123\",\"Name\":\"Custodian\"},{\"Id\":\"13\",\"Name\":\"Country\"},{\"Id\":\"1\",\"Name\":\"Symbol\"}]"
| rex max_match=0 "(?ms){\"Id\":\"(?<id>\d+)\",\"Name\":\"(?<Name>\w+)\"}"

| rex mode=sed "s/(.*)=\"(.*)\"/{\"\1\":\2}/"
| spath

as you like.

ahaveles · ‎04-16-2020

Sorry I am a bit lost, should these all be chained together in the search as they are above, or are lines 2 and 3 interchangeable with lines 5 and 6?

to4kawa · ‎04-16-2020

no, not chain. Here is two method.

RegEx to Parse Field Containing Json Format

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

RegEx to Parse Field Containing Json Format

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers