Solved: extract json from string

ashodha · ‎01-05-2021

hi, I have a string int the following format:

msg: Logging interaction event { eventId: '12dea8c0-dfb2-4988-9e97-314dd6243918', eventAction: 'Failed', eventType: '123event', eventSubtype: '1234eventsub', domainName: 'common', appName: 'authentication', containerName: 'root', containerVersion: '0.0.973' }

i am unable to extract eventType and eventSubtype because of text "Logging interaction event" how cna i get rid of this text and extract these fields

ericjorgensenjr · ‎01-05-2021

This should work:

| rex field=msg "(?<json>{[^\}]+})" | eval json=replace(replace(json,"(\w+):","\"\1\":"),"'([^']+)'","\"\1\"") | spath input=json

View solution in original post

ericjorgensenjr · ‎01-05-2021

This should work:

| rex field=msg "(?<json>{[^\}]+})" | eval json=replace(replace(json,"(\w+):","\"\1\":"),"'([^']+)'","\"\1\"") | spath input=json

richgalloway · ‎01-05-2021

I like the way you fixed the quoting in the json.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-05-2021

You can use the rex command to strip out the undesired text, but I doubt it will help. This example query still fails.

| makeresults 
| eval _raw="msg: Logging interaction event { eventId: '12dea8c0-dfb2-4988-9e97-314dd6243918', eventAction: 'Failed', eventType: '123event', eventSubtype: '1234eventsub', domainName: 'common', appName: 'authentication', containerName: 'root', containerVersion: '0.0.973' }" 
| rex "(?<field2>\{[\s\S]+})" 
| spath input=field2

The search log reports:

WARN  SPathCommand - Some events are not in XML or JSON format.  Fields will not be extracted from these events.

---
If this reply helps you, Karma would be appreciated.

extract json from string

eval

field extraction

subsearch

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?