Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove header to have only json element

mah
Builder
‎09-01-2021 01:00 AM

Hi, 

I have a log like this :

2021-09-01T07:25:12.314Z id-xxx-xxx-xxx STATE {"Id":"id-xxx-xxx-xxx","timestamp":"2021-09-01T07:25:12.145Z","sourceType":"my_sourcetype","source":"source_name","Type":"my_type","event":{"field":"my_field"},"time":169,"category":"XXX"}

My props.conf is like that :

[extract_json]
TRUNCATE = 999999

SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_PREFIX=timestamp:
MAX_TIMESTAMP_LOOKAHEAD=10000
BREAK_ONLY_BEFORE ={$
MUST_BREAK_AFTER=}$

SEDCMD-remove-header = s/^[0-9T\:Z]*.*\s*{/{/g

My issue is that I need to extract only the json element from my logs but with those parameters from my props I get a bad extraction : the end of my json ( {"field":"my_field"},"time":169,"category":"XXX"} ) goes to an other event line and is not in json.

I have children brackets into parent bracket and I think my SEDCMD is not correct.

I would have the entire json element in one event. 

Can you help me please ?

Thank you !

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2021 01:15 AM

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2021 01:15 AM

Try something like

SEDCMD-remove-header = s/^[0-9T\:Z]*.*?\s*{/{/g
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-01-2021 02:24 AM

Hi @ITWhisperer 

It seems to work  great ! 

Thanks a lot !

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...