Skip to main content
Question

Is there a way to extract the key-value pair in the JSON object from the _raw field in the Pipeline?

  • March 11, 2025
  • 13 replies
  • 75 views
A

Hi, is there a way to extract the key-value pair in the JSON object from the `_raw` field in the Pipeline?My `_raw` field looks like this `_raw: {"name":"foo", "age":"99", "phone":"12345678"}`I've tried the Parser function in the Pipeline, and tried the options in the Type dropdown but no luck...The parse extraction example in the sandbox tutorial is in string, didn't work for dictionary.

    13 replies

    X
    Forum|alt.badge.img
    • xpac xpac
    • Participating Frequently
    • March 11, 2025

    Can you share a Screenshot of how your sample actually looks in Cribl preview?

    A
    • alan y
    • Author
    • New Participant
    • March 11, 2025

    it's a script that returns a dictionary:

    David Maislin

    Does that JSON file LINT properly?

    David Maislin

    The JSON standard requires double quotes and will not accept single quotes, nor will the parser.

    David Maislin

    Your raw has single quotes.

    X
    Forum|alt.badge.img
    • xpac xpac
    • Participating Frequently
    • March 11, 2025

    Thats likely a python dict, not JSON

    David Maislin

    0

    David Maislin

    `'(?<_KEY_0>.+?)':'(?<_VALUE_0>.+?)'`

    David Maislin

    Just use the REGEX Function

    David Maislin

    <@U041MGED76H&gt; Does that make sense?

    A
    • alan y
    • Author
    • New Participant
    • March 11, 2025

    Thanks, both! Well spotted and quick solution! I'll give that a go! :pray:

    X
    Forum|alt.badge.img
    • xpac xpac
    • Participating Frequently
    • March 11, 2025

    If you can modify that script, it's effectively just wrapping the output in json.dumps().

    X
    Forum|alt.badge.img
    • xpac xpac
    • Participating Frequently
    • March 11, 2025

    Clearly the better long term solution ^^

    Terms & ConditionsAccessibility statement