Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract message field from JSON
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract message field from JSON
trying to extract the msg field from an azure blob which uses the _json sourcetype - the msg : field shows as one long field - how to extract this please ?
msg: 2018-07-10T06:53:42.803Z email|5b3c37d::Rules::ValidateUser:: ::BEGIN-RULE::
Validate - user {"_id":"25fd57973c","email":"blah@hotmail.com","email_verified":true,"clientID":"8NReZXmds4","updated_at":"2018-07-10T06:53:42.764Z","name":"blah@hotmail.com","picture":"https://web.png","user_id":"email|5b3c37dd","nickname":"nickname","identities":[{"user_id":"5b3c3","provider":"email","connection":"email","isSocial":false}],"created_at":"2018-07-04T02:58:55.014Z","user_metadata":{"firstname":"bob","lastname":"bob","name":"bob bob"},"global_client_id":"rEJsAkwGVI","app_metadata":{"client_info":{"MyAccount":{"first_login_time":"2018-07-04T02:58:55.422Z","count":7,"last_login_time":"2018-07-10T06:49:40.126Z","user_id":"a0uid_xxxxx"}}},"client_info":{"MyAccount":{"first_login_time":"2018-07-04T02:58:55.422Z","count":7,"last_login_time":"2018-07-10T06:49:40.126Z","user_id":"a0uid_46"}},"persistent":{}}
thanks
*** UPDATE ***
So i've made some progress where i can create a new_msg field stripping off the non-json part of the msg field :
2018-07-10T06:53:42.803Z email|5b3c37d::Rules::ValidateUser:: ::BEGIN-RULE::Validate - user
and then that allows me to run spath on the new_msg
| rex field=msg "^[^{]+(?<new_msg>.*)" | spath input=new_msg
now my field count has gone from ~50 to 500+
Is there a better way ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pls try this in your search and let me know..
extract pairdelim=",", kvdelim='":"'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also use the below mentioned regex, there are two regex, one captures everything after msg and other captures only till email, try this and let me know if it works for you.
yourBaseQuery
|rex "\msg:\s+(?.*)"
| complete your search
yourBaseQuery
| rex \msg:\s+(?\w+-\w+-\w+:\w+:\w+.\w+\s+\w+)
| complete your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
both of these errored with Regex: unrecognized character follows \
I have updated my progress above. TY
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
