hi, I have a string int the following format:
msg: Logging interaction event { eventId: '12dea8c0-dfb2-4988-9e97-314dd6243918', eventAction: 'Failed', eventType: '123event', eventSubtype: '1234eventsub', domainName: 'common', appName: 'authentication', containerName: 'root', containerVersion: '0.0.973' }
i am unable to extract eventType and eventSubtype because of text "Logging interaction event" how cna i get rid of this text and extract these fields
This should work:
| rex field=msg "(?<json>{[^\}]+})" | eval json=replace(replace(json,"(\w+):","\"\1\":"),"'([^']+)'","\"\1\"") | spath input=json
This should work:
| rex field=msg "(?<json>{[^\}]+})" | eval json=replace(replace(json,"(\w+):","\"\1\":"),"'([^']+)'","\"\1\"") | spath input=json
I like the way you fixed the quoting in the json.
You can use the rex command to strip out the undesired text, but I doubt it will help. This example query still fails.
| makeresults
| eval _raw="msg: Logging interaction event { eventId: '12dea8c0-dfb2-4988-9e97-314dd6243918', eventAction: 'Failed', eventType: '123event', eventSubtype: '1234eventsub', domainName: 'common', appName: 'authentication', containerName: 'root', containerVersion: '0.0.973' }"
| rex "(?<field2>\{[\s\S]+})"
| spath input=field2
The search log reports:
WARN SPathCommand - Some events are not in XML or JSON format. Fields will not be extracted from these events.