Solved: How to extract the specific key value pair ?

mlevsh · ‎05-04-2021

We have the following data ingested (not json format) , where we are trying to extract
"DeletedImages": 0 and "DeletedImages": 24 value pairs

Data:

2021-05-04 - 13:50:41.878 - INFO : Action completed in 0.192996025085 seconds, result is {
"images-deleted": 0,
"metrics": {
"Action": "Ec2DeleteImageAction",
"Data": {
"DeletedImages": 0
},
"Version": "1.0",
"Type": "action",
"ActionId": "12345"
},
"account": "123456789",
"task": "ABCD-EFGE-QAQ-DELETE-IMAGE",
"images": 535,
"region": "ab-east-1"
} - ReconNum:123456678901234

2021-05-04 - 13:55:41.878 - INFO : Action completed in 0.192996025085 seconds, result is {
"images-deleted": 0,
"metrics": {
"Action": "Ec2DeleteImageAction",
"Data": {
"DeletedImages": 24
},
"Version": "1.0",
"Type": "action",
"ActionId": "12345"
},
"account": "123456788",
"task": "ABCD-EFGE-QAQ-DELETE-IMAGE",
"images": 536,
"region": "ab-east-1"
} - ReconNum:123456678901235

bowesmana · ‎05-04-2021

Use rex with

| rex field=_raw "DeletedImages.:\s(?<DeletedImageCount>\d+)"

View solution in original post

bowesmana · ‎05-04-2021

Use rex with

| rex field=_raw "DeletedImages.:\s(?<DeletedImageCount>\d+)"

mlevsh · ‎05-05-2021

@bowesmana Thank you! That worked perfectly!

bowesmana · ‎05-04-2021

Assuming that is two events. If it is a single event and you need to extract both values from it, then modify the rex statement like this

| rex field=_raw max_match=0 "DeletedImages.:\s(?<DeletedImageCount>\d+)"

and you will get a multi value field with the two values

How to extract the specific key value pair ?

other

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...