I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
@ddrillic you can use the sed command to replace :
by =
:
| rex field=_raw mode=sed "s/:/=/g"
So, great, we can replace the :
with =
and then the fields should be automatically detected.
This will work much better and faster then my previous regex.
Is there a way to convert the :
to =
in the log file?
Add this to your search
index=my index |rex field=source "\"action\":\"(?<action>[^\"]+)" |
If you don't want to get the action=Exit let me know
you can do the same for other fields constants like dateTime ID account
Did you miss a quote after "page:
?
Can you show what's after page:
? can action have multiple values separated by :
?
If there is more data after page: then use this:
"action":"(?<test>\w+|.+)"
This will grab everything inside the quotes
Hi dwong2,
Try it in https://regex101.com/
"action":"(?<test>\w+|.+)"
Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".
If i wanted to search for this instead "action":"page: ?