cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
korstiaans
Explorer
Member since: ‎10-18-2019
‎07-19-2022
Community Statistics
Posts 6
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎10-18-2019
Activity Feed
View All

Re: Need some help with FIELD_HEADER_REGEX and jso...

by in Getting Data In
‎07-19-2022 03:14 AM
‎07-19-2022 03:14 AM
Unfortunately it didn't work for completeness sake I've added the props.conf I used. [gws:test] KV_MODE= json LINE_BREAKER = }]},(.) SEDCMD-remove_header =SEDCMD-remove_header = s/\{\"activities\": \[\{\"kind\".*/\[\{\"kind\".*/flags disabled=false pulldown_type=true SHOULD_LINEMERGE = false   ... View more

Re: Need some help with FIELD_HEADER_REGEX and jso...

by in Getting Data In
‎07-19-2022 02:59 AM
‎07-19-2022 02:59 AM
Hi Giuseppe, Thanks for the quick response, so it's only a problem for the first line I managed to split the other events and they are indexes as json so no need for spath.  I'll try your SEDCMD suggestion and get back with the results.  ... View more

Need some help with FIELD_HEADER_REGEX and json da...

by in Getting Data In
‎07-19-2022 02:42 AM
‎07-19-2022 02:42 AM
Hi Splunkers,  I have a question related to a json file that I'm trying to parse.I want to remove the first part of it until {"kind"), see sample file is added below.  I tried using the FIELD_REGEX_HEADER in props.conf which I think is supposed to that so far I've tried an failed with the following: FIELD_HEADER_REGEX={"activities":\s\[(.) FIELD_HEADER_REGEX={"activities":\s\[ FIELD_HEADER_REGEX={"activities": FIELD_HEADER_REGEX=\{\"activities\"\: Some of the above work on regexr.com with the sample data.  {"activities": [{"kind": "admin#reports#activity", "id": {"time": "2022-07-18T14:04:19.866Z", "uniqueQualifier": "-2451221827967636314", "applicationName": "redacted", "customerId": "redacted"}, "etag": "\"dng2uCItaXPqmMj2MG4RUqVkRjnE_4kf0VvQ0_WkiTg/6j3Reg7FneLgLDfjE-lZuZUOrdc\"", "actor": {"callerType": "USER", "email": "redacted", "profileId": "redacted"}, "ipAddress": "redacted", "events": [{"type": "SECURITY_INVESTIGATION", "name": "SECURITY_INVESTIGATION_QUERY", "parameters": [{"name": "INVESTIGATION_DATA_SOURCE", "value": "USER LOG EVENTS"}, {"name": "INVESTIGATION_QUERY", "value": "(empty)"}]}]}, Any help is appreciated thank you! ... View more
Labels

Re: Replace square brackets and leave original val...

by in Splunk Search
‎07-12-2021 10:19 AM
‎07-12-2021 10:19 AM
@clintla Thanks, works like a charm.  ... View more

Re: Replace square brackets and leave original val...

by in Splunk Search
‎07-12-2021 09:35 AM
‎07-12-2021 09:35 AM
Hi Michel, That doesn't work, but it's probably, because the field is a little weird formatted. It looks like this in a table:   ... View more

Replace square brackets and leave original value

by in Splunk Search
‎07-12-2021 08:36 AM
‎07-12-2021 08:36 AM
Hi All, I have a field with the following value: [ "842cef72-745d-463c-8b49-ce16ccc5ebd2" ] I'd like to get rid of the square brackets and the quotes ending up with: 842cef72-745d-463c-8b49-ce16ccc5ebd2 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-19-2022 06:39 AM
Karma given to