Am I able to search for the key value pairs found under _raw in a query?
Hello. Quick Cribl Search question… Am I able to search for the key value pairs found under _raw in a query? I'm attempting to use it for Cloudtrail and here's an example of the structure.
Best Answer
-
yup, sounds like a use-case for the `extract` operator
0
Answers
-
not without using a regex (or a JS `.includes()` function because _raw is just a string in that screenshot, denoted by the alpha symbol to the left of it.
0 -
we're showing a user-friendly representation of it but it's not actually structured like inside _raw.
0 -
Ok. So just searching for various combinations of strings would be ok too?
0 -
yeah, unless you do something to parse that data so it's structured. Hard to tell if it can be parsed w/o seeing all of it
0 -
alright thank you!
0 -
do you see `awsRegion` extracted as a field?
i.e., outside of _raw?
if yes, then you should be able to reference `awsRegion=foobar` in Search without a problem.
0 -
no I don't all the data i'd want to specify is in _raw. I suppose I could turn region into a variable in the bucket path if i wanted to get more granular with searches
0 -
Yeah, can totally do that.
0 -
Agh , didn't even notice the question was about Search. I thought I saw Stream mentioned.
0 -
yup, sounds like a use-case for the `extract` operator
0
