Is there a way to extract the key-value pair in the JSON object from the _raw field in the Pipeline?

alan y · September 2023

Hi, is there a way to extract the key-value pair in the JSON object from the `_raw` field in the Pipeline? My `_raw` field looks like this `_raw: {"name":"foo", "age":"99", "phone":"12345678"}` I've tried the Parser function in the Pipeline, and tried the options in the Type dropdown but no luck... The parse extraction example in the sandbox tutorial is in string, didn't work for dictionary.

xpac xpac · September 2023

Can you share a Screenshot of how your sample actually looks in Cribl preview?

alan y · September 2023

it's a script that returns a dictionary:

David Maislin · September 2023

Does that JSON file LINT properly?

David Maislin · September 2023

The JSON standard requires double quotes and will not accept single quotes, nor will the parser.

David Maislin · September 2023

Your raw has single quotes.

xpac xpac · September 2023

Thats likely a python dict, not JSON

David Maislin · September 2023

David Maislin · September 2023

`'(?<_KEY_0>.+?)':'(?<_VALUE_0>.+?)'`

David Maislin · September 2023

Just use the REGEX Function

David Maislin · September 2023

<@U041MGED76H> Does that make sense?

alan y · September 2023

Thanks, both! Well spotted and quick solution! I'll give that a go! :pray:

xpac xpac · September 2023

If you can modify that script, it's effectively just wrapping the output in json.dumps().

xpac xpac · September 2023

Clearly the better long term solution ^^

Is there a way to extract the key-value pair in the JSON object from the _raw field in the Pipeline?

Answers

Categories