Additional fields extraction from json data

RSS_STT · ‎10-29-2023

I have field CI extracted from json payload

{
"Name": "zSeries",
"Severity":5,
"Category":"EVENT",
"SubCategory":"Service issues - Unspecified",
"TStatus": "OPEN",
"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"Component": "iphone"
}

Further, i want the CI field value extracted using DELIMS = ";". I have created below props & transforms configuration but not working.

[source::cluster_test]
REPORT-fields = ci-extraction

[ci-extraction]
SOURCE_KEY = CI
DELIMS = ";"
FIELDS = CI_V2,CI_1,CI_2,CI_3,CI_4,CI_5

Any help highly appreciated.

RSS_STT · ‎10-30-2023

CI filed values won't be constant. Sometime it can contain 3 value, sometime 4 or 5 value with semicolon separated.

But 1st word in CI filed is fix that is V2. How can we handle that with inline rex or with props.

Example:

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",

"CI": "V2;Y;Linx;srv048",

"CI": "V2;LX;apple;rose;server",

gcusello · ‎10-30-2023

Hi @RSS_STT ,

please try this:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);(?<CI_3>[^;\"]*);(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)"

Ciao.

Giuseppe

RSS_STT · ‎10-30-2023

It's not working..

gcusello · ‎10-30-2023

Hi @RSS_STT ,

please try this regex:

(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/2

Ciao.

Giuseppe

gcusello · ‎10-31-2023

Hi @RSS_STT ,

sorry! I was focused on the other fields and I forrgot the start of the string, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);(?<CI_5>[^\"]*)

that you can test at https://regex101.com/r/fndJqR/3

Ciao.

Giuseppe

RSS_STT · ‎10-31-2023

CI_5 field extraction is not proper. As of now all last values (C,srv048 & server) are going into CI_5 which is not correct.

"CI": "V2;Y;Windows;srv048;LogicalDisk;C:",
"CI": "V2;Y;Linx;srv048",
"CI": "V2;LX;apple;rose;server",

gcusello · ‎11-01-2023

Hi @RSS_STT,

sorry I forgor one asterisk, please try this:

\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;\"]*);(?<CI_2>[^;\"]*);*(?<CI_3>[^;\"]*);*(?<CI_4>[^;\"]*);*(?<CI_5>[^;\"]*)

that you can test at https://regex101.com/r/fndJqR/4

Ciao.

Giuseppe

RSS_STT · ‎10-30-2023

Seems to be working for rest of fields by not for CI_V2.

Creating field value CI_V2="CI": "V2 . it should be CI_V2 = V2.

kamlesh_vaghela · ‎10-30-2023

@RSS_STT

You can also try adding this in props.conf.

[cluster_test]
EXTRACT-fields = "CI":\s"(?<CI_V2>.*)\;(?<CI_1>.*)\;(?<CI_2>.*)\;(?<CI_3>.*)\;(?<CI_4>.*)\;(?<CI_5>.*)\",

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

gcusello · ‎10-29-2023

Hi @RSS_STT,

I cannot debug your fields extraction without accessing your system, but you could use a regex:

| rex "\"CI\":\s+\"(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

or

| rex field=CI "(?<CI_V2>[^;]*);(?<CI_1>[^;]*);(?<CI_2>[^;]*);(?<CI_3>[^;]*);(?<CI_4>[^;]*);(?<CI_5>[^\"]*)"

that you can test at https://regex101.com/r/fndJqR/1

Ciao.

Giuseppe

Additional fields extraction from json data

JSON

props.conf

transforms.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases