Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract key-value field extraction?

mcbradford
Contributor
‎04-20-2018 07:49 AM

Need help with key value extraction for the following:

Apr 20 10:38:59 10.1.8.25 {"adf": 1, "virtualservice": "virtualservice-blahhhhh-blooob-blahhhh”, "vs_ip": “10.1.1.1”, "client_ip": “123.123.123.123”, "client_src_port": 45040, "client_dest_port": 25, "start_timestamp": "2018-04-20T14:37:00.281459", "report_timestamp": "2018-04-20T14:38:58.829212", "total_time": 118598, "connection_ended": 1, "client_rtt": 16, "mss": 1460, "service_engine": “blah-DC-bl-blob”, "vcpu_id": 1, "log_id": 1419929, "pool": "pool-blahhhh-79a9-4d4a-8e2c-blahhhh”, "pool_name": "mail.blahhh.com-pool", "server_ip": “123.123.123.123”, "server_name": “123.123.123.123”, "server_conn_src_ip": “123.123.123.123”, "server_dest_port": 443, "server_src_port": 49704, "server_rtt": 1, "significant_log": ["ADF_SERVER_SENT_RESET"], "proxy_protocol": "PROXY_PROTOCOL_VERSION_1", "dns_qtype": "DNS_RECORD_OTHER", "dns_response": {"response_code": "DNS_RCODE_NOERROR", "opcode": "DNS_OPCODE_QUERY"}, "dns_etype": "DNS_ENTRY_PASS_THROUGH", "protocol": "PROTOCOL_TCP", "dns_request": {"opcode": "DNS_OPCODE_QUERY"}, "vs_name": "mail.blahh.com"}

Data has been sanitized to remove true IPs and domains, etc.

Any help would truly be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-20-2018 08:32 AM

@mcbradford, try the following replace to extract JSON data from your _raw data, followed by spath command.

<yourCurrentSearch>
| eval _raw=replace(_raw,"^[^\{]+","")
| spath

Following is a run anywhere search based on mocked up sample data:

| makeresults
| eval _raw=" Apr 20 10:38:59 10.1.8.25 {\"adf\": 1, \"virtualservice\": \"virtualservice-blahhhhh-blooob-blahhhh\", \"vs_ip\": \"10.1.1.1\", \"client_ip\": \"123.123.123.123\", \"client_src_port\": 45040, \"client_dest_port\": 25, \"start_timestamp\": \"2018-04-20T14:37:00.281459\", \"report_timestamp\": \"2018-04-20T14:38:58.829212\", \"total_time\": 118598, \"connection_ended\": 1, \"client_rtt\": 16, \"mss\": 1460, \"service_engine\": \"blah-DC-bl-blob\", \"vcpu_id\": 1, \"log_id\": 1419929, \"pool\": \"pool-blahhhh-79a9-4d4a-8e2c-blahhhh\", \"pool_name\": \"mail.blahhh.com-pool\", \"server_ip\": \"123.123.123.123\", \"server_name\": \"123.123.123.123\", \"server_conn_src_ip\": \"123.123.123.123\", \"server_dest_port\": 443, \"server_src_port\": 49704, \"server_rtt\": 1, \"significant_log\": [\"ADF_SERVER_SENT_RESET\"], \"proxy_protocol\": \"PROXY_PROTOCOL_VERSION_1\", \"dns_qtype\": \"DNS_RECORD_OTHER\", \"dns_response\": {\"response_code\": \"DNS_RCODE_NOERROR\", \"opcode\": \"DNS_OPCODE_QUERY\"}, \"dns_etype\": \"DNS_ENTRY_PASS_THROUGH\", \"protocol\": \"PROTOCOL_TCP\", \"dns_request\": {\"opcode\": \"DNS_OPCODE_QUERY\"}, \"vs_name\": \"mail.blahh.com\"}"
| eval _raw=replace(_raw,"^[^\{]+","")
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-20-2018 08:32 AM

@mcbradford, try the following replace to extract JSON data from your _raw data, followed by spath command.

<yourCurrentSearch>
| eval _raw=replace(_raw,"^[^\{]+","")
| spath

Following is a run anywhere search based on mocked up sample data:

| makeresults
| eval _raw=" Apr 20 10:38:59 10.1.8.25 {\"adf\": 1, \"virtualservice\": \"virtualservice-blahhhhh-blooob-blahhhh\", \"vs_ip\": \"10.1.1.1\", \"client_ip\": \"123.123.123.123\", \"client_src_port\": 45040, \"client_dest_port\": 25, \"start_timestamp\": \"2018-04-20T14:37:00.281459\", \"report_timestamp\": \"2018-04-20T14:38:58.829212\", \"total_time\": 118598, \"connection_ended\": 1, \"client_rtt\": 16, \"mss\": 1460, \"service_engine\": \"blah-DC-bl-blob\", \"vcpu_id\": 1, \"log_id\": 1419929, \"pool\": \"pool-blahhhh-79a9-4d4a-8e2c-blahhhh\", \"pool_name\": \"mail.blahhh.com-pool\", \"server_ip\": \"123.123.123.123\", \"server_name\": \"123.123.123.123\", \"server_conn_src_ip\": \"123.123.123.123\", \"server_dest_port\": 443, \"server_src_port\": 49704, \"server_rtt\": 1, \"significant_log\": [\"ADF_SERVER_SENT_RESET\"], \"proxy_protocol\": \"PROXY_PROTOCOL_VERSION_1\", \"dns_qtype\": \"DNS_RECORD_OTHER\", \"dns_response\": {\"response_code\": \"DNS_RCODE_NOERROR\", \"opcode\": \"DNS_OPCODE_QUERY\"}, \"dns_etype\": \"DNS_ENTRY_PASS_THROUGH\", \"protocol\": \"PROTOCOL_TCP\", \"dns_request\": {\"opcode\": \"DNS_OPCODE_QUERY\"}, \"vs_name\": \"mail.blahh.com\"}"
| eval _raw=replace(_raw,"^[^\{]+","")
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

mcbradford
Contributor
‎04-20-2018 09:12 AM

Perfect!!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...