Question

Extract into json objects together with the other _raw.items and rename the field

Forum|Forum|10 months ago
March 11, 2025
9 replies
98 views

Paul Martins
Employee

Hello all,I need some help please. I have some data in _raw.body, and I'd like to extract the them into json objects together with the other _raw.items (such as _raw.ctupdate)I'd also like to rename some of the fields. Any suggestions?

P

Patrick Sharkey
Participating Frequently
Forum|Forum|10 months ago
March 11, 2025

It looks like body has some Key:Value pairs.Have you tried using a Parser() function w/source field of _raw and Type of Delimited values?Where delimiter is `:`.

Like

David Maislin
Employee
Forum|Forum|10 months ago
March 11, 2025

Regex is better for that use case

Like

David Maislin
Employee
Forum|Forum|10 months ago
March 11, 2025

<@U027KUMV39P>

Like

Jon Rust
Employee
Forum|Forum|10 months ago
March 11, 2025

I'm glad you posted that <@U01C35EMQ01>. I will be needing that in the future. It's very similar to Splunk's method, so I'm glad to see it's available the same way. :slightly_smiling_face: :skin-tone-2:

Like

P

Paul Martins
Author
Employee
Forum|Forum|10 months ago
March 11, 2025

Thanks <@U01C35EMQ01>. I tried the solution, but get KEY_0: {"body" as an output

Like

David Maislin
Employee
Forum|Forum|10 months ago
March 11, 2025

I Dm'd you a zoom

Like

P

Paul Martins
Author
Employee
Forum|Forum|10 months ago
March 11, 2025

sure

Like

P

Patrick Sharkey
Participating Frequently
Forum|Forum|10 months ago
March 11, 2025

The world would be a better place with nicely formatted input. I don't think that David has met a poorly formatted input that he could not tame with Stream.

Like

David Maislin
Employee
Forum|Forum|10 months ago
March 11, 2025

All fixed!

Like

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded