I have the below json, I would like to be able to extract values that are in the email, name and provider fields.
Currently my Splunk query is sourcetype=_json | spath msg | rex field=msg mode=sed "s/\\\//g"
which gets rid of all the extra slashes.
When viewing the events in the list view, I can see the name, pid and msg fields with the msg field containing all of the nested JSON. How do I get it out?
{"name":"master",
"pid":0,
"msg":"INPUT-USER: {
\"_id\":\"testId\",
\"email\":\"secret@secret.com\",
\"name\":\"sameAsEmail\",
\"picture\":\"beautifulPic\",
\"user_id\":\"randomStuff\",
\"nickname\":\"emailUserName\",
\"identities\":[{
\"user_id\":\"yetAnotherSecret\",
\"provider\":\"email\",
\"connection\":\"email\"}]
}
}
Further information: I am not an admin and do not have access to the props.conf file
Thanking you in advance!
... View more