I am attempting to parse logs that contain fields similar to the example below. Field name being ValidFilterColumns, which contains an json format of these objects containing key/value pairs for Id and Name.
ValidFilterColumns="[{"Id":"124","Name":"OrderId"},{"Id":"25","Name":"AssetClass"},{"Id":"123","Name":"Custodian"},{"Id":"13","Name":"Country"},{"Id":"1","Name":"Symbol"}]"
My question is, how could I compose a RegEx that parses out the Ids and Names of each object in the array?
Also as a note: I have tried making the fields extracted fields, but they will only function properly if another log's field contains the same number of objects.
| makeresults
| eval _raw="ValidFilterColumns=\"[{\"Id\":\"124\",\"Name\":\"OrderId\"},{\"Id\":\"25\",\"Name\":\"AssetClass\"},{\"Id\":\"123\",\"Name\":\"Custodian\"},{\"Id\":\"13\",\"Name\":\"Country\"},{\"Id\":\"1\",\"Name\":\"Symbol\"}]"
| rex max_match=0 "(?ms){\"Id\":\"(?<id>\d+)\",\"Name\":\"(?<Name>\w+)\"}"
| rex mode=sed "s/(.*)=\"(.*)\"/{\"\1\":\2}/"
| spath
as you like.
Sorry I am a bit lost, should these all be chained together in the search as they are above, or are lines 2 and 3 interchangeable with lines 5 and 6?
no, not chain. Here is two method.