Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I extract all fields from userdata?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siksaw33
Path Finder
04-29-2022
07:46 AM
How do I extract all fields from userdata?
accept=application/json, timestamp=1651243086870} OutboundWebHookPayload={"clientType":"Client","mediaType":"ask","subject":"EscapeClient","userData":{"country":"UK","lastName":"ELMER","agentId":"7060856","conversationId":"conv_1d55ec01e970c8833e8b8206be287fce","sessionId":"itc_58f7ad65-fcb0-46bd-81-1717f84dd7","chatSessionId":"s_eaf99b35-59fd-4d36-8f8f-c6423f8ec610","locale":"en-GB","languageCode":"en","experience":"Default","publicGuid":"1d55ec01e970c8833e8b8206be287fce","accountNumber":"XXXXXXXXXXXXXXX","firstName":"LUKE","environment":"prod","intentCode":"statement_balance","upfrontRoutingIntent":"CardServices","InteractionType":"Resume","customerId":"508558871407","channelName":"MApp","ProductType":" Card"}}
I tried
userData | rex field=_raw "userData.:{.IACode.:.(?<IACode>[A-Za-f0-9]+).,.country.*upfrontRoutingIntent.:.(?<upfrontRoutingIntent>[^\"]+).," | table IACode upfrontRoutingIntent
But I need other fields like Experience and Product type as well
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-29-2022
08:30 AM
| rex "OutboundWebHookPayload=(?<json>\{.*\})"
| spath input=json userData output=userData
| spath input=userData- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siksaw33
Path Finder
05-04-2022
06:35 AM
ahh.. n00b mistake by me. @ITWhisperer you are correct. This worked, you are the best. Thanks a ton!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siksaw33
Path Finder
05-02-2022
11:29 AM
I dont get anyJSON string, I get what I was getting earlier. No changes. I get 1500 events in the below format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-02-2022
03:12 PM
Here is a runanywhere example showing the extraction
| makeresults
| eval _raw="02 May 2022 11:20:42,825 log_level='DEBUG' thread_name='https-jsse-nio-8443-exec-2999' environment=e3_ipc1 hostName=operator-a-deployment-42-kn9ph class_name='com.wsgcat.ngsp.logan.logger.LoganOperatorOutboundWebhookLogging' app=NGSPLOGAN event_name=LOGANOPERATOR logancorrelationId=fZFtvmmb-02052022-112040911 channel name=bean 'createRequestWithHeaderChannel' LoganOperatorOutboundWebhookLogging Info - OutboundWebHookHeaders={Authorization=Bearer eyJraWQiOiJyc2FLZXlVTklWIiwiYWxnIjoiUlM1MTIifQ.eyJzY3AiOlsiZnVuY3Rpb246XC9DcmVhdGVNZXNzYWdpbmdJbnRlcmFjdGlvbi52MSJdLCJzdWIiOiIzNWIyODNjNi01NTBhLTNiNTctYmZiMC1iY2I1N2Y3ZDRlYzEiLCJ2ZXIiOiIxLjAiLCJpc3MiOiJBbWV4SURhYVNJRCIsInR5cCI6ImFwcCIsImV4cCI6MTY1MTUxNTk2MCwianRpIjoiMjcyNjZmOTMtMTAzZi00M2FkLWE2ZDQtM2M2OGExNmVjNmFkIn0.X2HAnLvITD9ri/YVbyxCQyJcYjDmThYWOkHgz5yW3OaSmvAIscZA3O7tE6uE1c6aUyjOS+O3Qw6lHpSSG7D+5tp6whJb3Qa7eqiBY0hP4+iI8GYiRPXb2vZbFKLDPYQ4eVOPPJ0lZ3wh1Poqy5s+duZmVH7mx4rXwc+i6TL7S80OiI6LajCfuLE4swnq2n+zfFF2mWzK8DAr93vOlUkRB5eHWleGAYsng7bbC+KdDMqo06aZJDnfa2R/dxRdrhBwZrKMaWAqOLMrjmjgDrj2dMo0/UKsXKHdM83BIlPKCn+gJWjHG3D0ZEXwljrGTgm9YMBG8ZON4ieE05JPbsiI0w==, replyChannel=org.springframework.messaging.core.Template$TemporaryReplyChannel@6365782d, errorChannel=org.springframework.messaging.core.Template$TemporaryReplyChannel@6365782d, one-correlation-id=conv_cb44295ae5e9870f28ee1-02022-1121911, id=8997e7f6-59fa-ba5a-206c-0e7bfbf149c8, Content-Type=application/json, accept=application/json, timestamp=1651515642824} OutboundWebHookPayload={\"clientType\":\"Client\",\"mediaType\":\"ask\",\"subject\":\"AskEscapeClient\",\"userData\":{\"country\":\"US\",\"lastName\":\"DURFEE\",\"agentId\":\"6438\",\"conversationId\":\"conv_cb442617aae5e9870f28ee1\",\"sessionId\":\"itc_830e-bc73-a25aa95c6136\",\"chSessionId\":\"s_7c33b596- -816d21874c5e\",\"locale\":\"en-US\",\"languageCode\":\"en\",\"experience\":\"Pl\",\"publicGuid\":\"cb44295c401145617aae5e9870f28ee1\",\"accountNumber\":\"XXXXXXXXXXXXXXX\",\"firstName\":\"JO\",\"environment\":\"prod\",\"intentCode\":\"travel\",\"upfrontRoutingIntent\":\" travel\",\"InteractionType\":\"Resume\",\"customerId\":\"284745861019\",\"channelName\":\"MA\",\"ProductType\":\"Pla\"}}"
| rex "OutboundWebHookPayload=(?<json>\{.*\})"
| spath input=json userData output=userData
| spath input=userData- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-29-2022
08:30 AM
| rex "OutboundWebHookPayload=(?<json>\{.*\})"
| spath input=json userData output=userData
| spath input=userData- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siksaw33
Path Finder
04-29-2022
01:52 PM
Sorry @ITWhisperer this did not work. Maybe I am doing something wrong. But this is not converting and returning the userdata package to a table format.
userData | rex "OutboundWebHookPayload=(?<json>\{.*\})"
| spath input=json userData output=userData
| spath input=userData
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-01-2022
11:00 AM
OK So what are you getting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siksaw33
Path Finder
05-01-2022
11:35 AM
Nothing @ITWhisperer I just get the events that I was getting earlier. No regex parsing. Could you please double check?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
05-01-2022
12:51 PM
Does this at least return the json string?
| rex "OutboundWebHookPayload=(?<json>\{.*\})"
Get Updates on the Splunk Community!
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Your Guide to SPL2 at .conf24!
So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...
