Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with JSON Regex extraction

siksaw33
Path Finder
‎05-30-2022 01:05 PM

Similar to

https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-all-fields-from-userdata/m-p/596078#M...

Could you please help me with this I use

 

 

 

source=http:splunk_ecp_IPC2_kafka_logs sourcetype=yo_kafka_logs properties YoRouterLoggingInterceptor | rex "properties=(?\{.*\})" |table chatOriginUrl,firstName,lastName, conversationId,clientSourceId,engagedHandler

 

 

 

The string is

 

 

 

30 May 2022 08:38:20,741 log_level='DEBUG' thread_name='yoRouterExecutor-9' hostName=yo-router-b-deployment-39-gb2hf class_name='com.al.wsgcat.ngsp.yo.logging.YoRouterLoggingInterceptor' app=NGSPYO event_name=YOROUTER correlationId=BLiLDEyd-24052022-070434975 URI=https://yo.al.com/yo/gateway/v1/handleRouting,Method=POST,Headers=[Accept:"application/json", Content-Type:"application/json", Content-Length:"2388"],Request body={"yoMessage":{"messageText":"Representative has disconnected","from":null,"to":"mglueck@ngspchattims.al.com","properties":{"lineOfBusiness":"MYCA","messageCategory":"returningasync","messageCount":"","yoId":"svc.yo7@ngspchattims.al.com/Smack","transferIntentCode":"","experience":"platinum","checkoutStatus":"","customerMemberConnectionId":"44f4d6263627d8267385ea64d8bfc057","requestHandler":"","messageType":"ccpdisconnected","browserVersion":"Chrome 101.0.4951.61","action":"","workGroupName":"Social_Media_Team","chatType":null,"aao_locale":"en-US","microBotIntent":null,"deviceType":"mobile","applicationVersion":"1.0","interactionId":"159MS6U2J6NFHGP4","clientSourceId":"smrt","deviceOS":"Android 12","chatOriginUrl":"https://online.al.com/myca/mycaassist/us/startChat.do?request_type=authreg_home","messageId":"f3b5c925-2ac9-41a5-9917-41b0edb9e065","chatSessionId":"s_675f1a75-94b7-4e02-a240-94ef07b25c6e","masterBotIntent":null,"messageOrigin":"ccp","firstName":"J","userGroups":"","intentCode":"offers_generic","alSession":"","bbv":"6cf84eea-a1270454-e62fd5be-273cb071","smallCustomerArt":"","escalationIndicator":"","customerNumber":"CRPXMSYRO9UK7P3","riskflag":"","queuedTimeStamp":"","toId":"svc.yo24@ngspchattims.al.com/Smack","lastName":"","conversationHeader":"","customerProduct":"137","correlation-id":"f3b5c925-2ac9-41a5-9917-41b0edb9e065","channel-user-id":"44f4d6263627d8267385ea64d8bfc057","locale":"en-US","gatekeeper":"DF25AD3025E28FFB6B6C8701A1DA0DEEF8DA561973401A20FDC35FBFDB68118DEF63E653045C3B52BCDADCE57398C054AEA7B99DCD0FA2B1628E31E96AFE7BC0EC16F04DF6BA0CF2406C14EF3BFC6ECD73F4F8CC155AAD568EB6F44816A8C576667749FA70F9B9F48A99EC3723D2AEABEF11BBC65DB47E317B99BB95CC71D8D03B394999B87CC149618E59061DD0AD06A","historicalChat":"","confidenceScore":"","creditFlag":"N","engagedHandler":"mglueck","botId":"","channelId":"web","productCreatedDate":"","conversationId":"","conversationTopic":null,"languageId":"US","customerMemberId":"","ccpId":"mglueck","sessionId":"itc_9d9907d7-e64d-475f-b9ea-21b26e6b2797","globalCustomerMemberId":"","pegaMessageId":null,"createdDate":"2022-05-30T15:38:18.481Z","customerMemberIPAddress":"192.16.1","waitTime":"1358"}},"routeCode":"CCP","xmppId":"mglueck"}

 

 

 

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2022 11:11 PM 
``` extract properties field including opening and next closing braces ```
| rex "properties\":\s*(?<properties>\{.*?\})"
``` extract JSON fields with spath ```
| spath input=properties
``` table fields ```
| table chatOriginUrl,firstName,lastName, conversationId,clientSourceId,engagedHandler

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-30-2022 11:11 PM 
``` extract properties field including opening and next closing braces ```
| rex "properties\":\s*(?<properties>\{.*?\})"
``` extract JSON fields with spath ```
| spath input=properties
``` table fields ```
| table chatOriginUrl,firstName,lastName, conversationId,clientSourceId,engagedHandler
Reply
Solved! Jump to solution

siksaw33
Path Finder
‎05-31-2022 07:19 AM

Thank you this worked!

@ITWhisperercould you please explain

| rex "properties\":\s*(?<properties>\{.*?\})"

in this example

| rex "OutboundWebHookPayload=(?<json>\{.*\})"

and in the previous example https://community.splunk.com/t5/Splunk-Search/Help-with-JSON-Regex-extraction/m-p/599795#M208765

how are they different? how do I learn to build these myself?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 07:35 AM

In the first example, properties is extracted as { until the first }

In the second example, json is extracted as { until the last }

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...