Solved: json SED problem

General_Talos · ‎07-05-2021

Hi ,

I am having json logs which I on-boarded to Splunk

{"body":{"records": {"time": "2020-12-20T13:28:50.2164144Z","MachineGroup": "Windows 10", "Timestamp": "2020-12-20T13:27:18.6679858Z", "DeviceName": "3242d4e4.dc.democorp.com", "ReportId": 306737}}},"x-opt-sequence-number":159959006,"x-opt-offset":"2713650553292728","x-opt-enqueued-time":1624195823422}

I am trying to remove everything after "}}}" with SEDCMD and my props.conf is below-mentioned

[json_log]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
disabled = false
INDEXED_EXTRACTIONS = json
KV_MODE = none
DATETIME_CONFIG = CURRENT
TRUNCATE = 0
SEDCMD-unwantedfields=s/\}\}\}(.*)/g

Fields are not in raw logs, however when expending details can see the field values

Any suggestion, what I am doing wrong ?

https://regex101.com/r/btYSah/1

General_Talos · ‎07-05-2021

Thanks @kamlesh

Minor changes, resulted in required result.

SEDCMD-unwantedfields=s/\}\}\}(.*)\}/g

View solution in original post

kamlesh_vaghela · ‎07-05-2021

@General_Talos

Can you please try this?

[json_log]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SEDCMD-unwantedfields=s/\}\}\}(.*)/}}}/g

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

General_Talos · ‎07-05-2021

Thanks @kamlesh

Minor changes, resulted in required result.

SEDCMD-unwantedfields=s/\}\}\}(.*)\}/g

json SED problem

JSON

props.conf

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...