Hello all,I need some help please. I have some data in _raw.body, and I'd like to extract the them into json objects together with the other _raw.items (such as _raw.ctupdate)I'd also like to rename some of the fields. Any suggestions?
Page 1 / 1
It looks like body has some Key:Value pairs.Have you tried using a Parser() function w/source field of _raw and Type of Delimited values?Where delimiter is `:`.
Regex is better for that use case
I'm glad you posted that <@U01C35EMQ01>. I will be needing that in the future. It's very similar to Splunk's method, so I'm glad to see it's available the same way. 
:skin-tone-2:
Thanks <@U01C35EMQ01>. I tried the solution, but get KEY_0: {"body" as an output
I Dm'd you a zoom
sure
The world would be a better place with nicely formatted input. I don't think that David has met a poorly formatted input that he could not tame with Stream.
All fixed!
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.