Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

RegEx to Parse Field Containing Json Format

ahaveles
New Member
‎04-15-2020 02:23 PM

I am attempting to parse logs that contain fields similar to the example below. Field name being ValidFilterColumns, which contains an json format of these objects containing key/value pairs for Id and Name. 

ValidFilterColumns="[{"Id":"124","Name":"OrderId"},{"Id":"25","Name":"AssetClass"},{"Id":"123","Name":"Custodian"},{"Id":"13","Name":"Country"},{"Id":"1","Name":"Symbol"}]"

My question is, how could I compose a RegEx that parses out the Ids and Names of each object in the array?

Also as a note: I have tried making the fields extracted fields, but they will only function properly if another log's field contains the same number of objects.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 04:44 PM 
| makeresults
| eval _raw="ValidFilterColumns=\"[{\"Id\":\"124\",\"Name\":\"OrderId\"},{\"Id\":\"25\",\"Name\":\"AssetClass\"},{\"Id\":\"123\",\"Name\":\"Custodian\"},{\"Id\":\"13\",\"Name\":\"Country\"},{\"Id\":\"1\",\"Name\":\"Symbol\"}]"
| rex max_match=0 "(?ms){\"Id\":\"(?<id>\d+)\",\"Name\":\"(?<Name>\w+)\"}"

| rex mode=sed "s/(.*)=\"(.*)\"/{\"\1\":\2}/"
| spath

as you like.

0 Karma
Reply

ahaveles
New Member
‎04-16-2020 06:44 AM

Sorry I am a bit lost, should these all be chained together in the search as they are above, or are lines 2 and 3 interchangeable with lines 5 and 6?

0 Karma
Reply

to4kawa
Ultra Champion
‎04-16-2020 01:32 PM

no, not chain. Here is two method.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...