r0r0n0a
Reputation: 358
How to extract fields from an escaped JSON(nested) in splunk?
I'm looking for help in extracting "allowedSourceAddressPrefix" field/value from a JSON. This field is an escaped JSON string inside a nested JSON. Following is the JSON tree
- properties (extracted by splunk)
- /subscription/..../.../ (dynamic field)
- ports (escaped json)
- allowedSourceAddressPrefix (nested json)
The allowedSourceAddressPrefix takes values of single ipaddress (or) multiple ip addresses (or) *.
I have tried various rex patterns but failed in extracting the required field, Any help is appreciated. Following is the JSON that has the required field
properties: {
"User": "[email protected]",
"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev": "{\"id\":\"/subscriptions/3483b2ca-02cf-4ff6-92af-99326c8fac7f/resourceGroups/apple-dev/providers/Microsoft.Compute/virtualMachines/gjappledev\",\"ports\":[{\"number\":3389,\"allowedSourceAddressPrefix\":\"*\",\"endTimeUtc\":\"2022-03-21T1:50:39.1599446Z\"}]}",
"Justification": null
}
TIA
Upvotes: 0
Views: 1803
Answers (1)
RichG
Reputation: 9916
It would help to know some of the regular expressions you've tried so we don't repeat them.
Have you tried the spath command to parse the JSON?
Perhaps this rex command will help
| rex "allowedSourceAddressPrefix\\\\\":\\\\\"(?<allowedSourceAddressPrefix>[^\\\]+)"
Upvotes: 1
Related Questions
- In Splunk, Need to Pull Data from Nested JSON Array in an Array
- How to build a Splunk query that extracts data from a JSON array?
- splunk : json spath extract
- Splunk : Extracting the elements from JSON structure as separate fields
- Print String array of a json payload in splunk
- Extract some fields from a part json part text log in Splunk
- How to extract Key Value fields from Json string in Splunk
- How to extract fields from JSON string in Splunk
- Extracting values from json in Splunk using spath
- Unable to extract JSON fields in Splunk