About olegr

olegr · ‎07-10-2023

Hello, I have a scripted input that runs a py script which returns json in this format in a single line: [ { "address": "blah@blah.com", "timeRanges": [ { "start": "2023-05-22T12:59:00.000Z", "end": "2023-05-25T13:48:19.000Z", }, { "start": "2023-06-12T04:06:56.000Z", } ], }, { "address": "blah1@blah1.com", "timeRanges": [ { "start": "2023-07-01T15:00:00.000Z", "end": "2023-07-05T04:38:08.000Z", } ], } ] Splunk indexes everything as a single record as below. Looking for a way to extract each object into its own record. When I import the file via the GUI, it parses it correctly, but not via the scripted input. Props: [my-source-type] NO_BINARY_CHECK = true INDEXED_EXTRACTIONS = json KV_MODE = none SHOULD_LINEMERGE = true TRUNCATE = 0

olegr · ‎03-22-2022

That did not work for me, but I ended up figuring it out using the following: | inputlookup lookup1.csv | rex field=User "^(?<UserShort>.+?)\-suffix" | eval identity = if(isnull(UserShort), User, UserShort) | join identity [inputlookup lookup2] ...

olegr · ‎03-21-2022

Hello, Looking for a way to partially join 2 inputlookups. Lookup 1: username, name jsmith, John jdoe, Joe Lookup 2:username,status jsmith-sa, enabled I would like to return a match on jsmith to jsmith-sa but have not been able to figure out how to partially join. ie search for jsmith* against lookup2 not for exact matches. The 2nd lookup may have the entire keyword or keyword-something Search returns: jsmith,jsmith-sa,enabled

Posts	5
Solutions	1
Karma Given	0
Karma Received	0
Member Since	‎03-21-2022

Online Status	Offline
Date Last Visited	‎07-11-2023 10:42 PM

Help extracting json at index time

How to partially join two lookups?

Help extracting json at index time

Re: How to partially join two lookups

How to partially join two lookups?

Join the Conversation

Help extracting json at index time

How to partially join two lookups?

Help extracting json at index time

Re: How to partially join two lookups

How to partially join two lookups?