Solved: rex during search convert to transforms/props duri...

jtm7x2 · ‎08-12-2024

Hello. I have a data source that is "mostly" json formatted, except it uses single quotes instead of double, therefore, splunk is not honoring it if I set the sourcetype to json.

If I run a query against it using this:

sourcetype="test" | rex field=_raw mode=sed "s/'/\"/g"
| spath

it works fine, and all fields are extracted.

How can I configure props and transforms to perform this change at index time so that my users don't need to have the additional search parameters and all the fields are extracted by default, short of manually extracting each field?

Example event, no nested fields:

{'date': '2024-02-10', 'time': '18:59:27', 'field1': 'foo', 'field2': 'bar'}

jtm7x2 · ‎08-13-2024

Thanks. I got it to work, but had to modify the syntax slightly to remove the backslashes - this worked.

[yoursourcetype]
SEDCMD-singletodouble=s/'/"/g

View solution in original post

marnall · ‎08-12-2024

You can use a SEDCMD to replace all the single quotes with double-quotes before indexing.

in Props.conf:

[yoursourcetype]
SEDCMD-singletodouble=s/\'/\"/g

jtm7x2 · ‎08-13-2024

Thanks. I got it to work, but had to modify the syntax slightly to remove the backslashes - this worked.

[yoursourcetype]
SEDCMD-singletodouble=s/'/"/g

rex during search convert to transforms/props during indexing help

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?