Extract into json objects together with the other _raw.items and rename the field

Paul Martins · September 2023

Hello all, I need some help please. I have some data in _raw.body, and I'd like to extract the them into json objects together with the other _raw.items (such as _raw.ctupdate) I'd also like to rename some of the fields. Any suggestions?

Patrick Sharkey · September 2023

It looks like body has some Key:Value pairs. Have you tried using a Parser() function w/source field of _raw and Type of Delimited values? Where delimiter is `:`.

David Maislin · September 2023

Regex is better for that use case

David Maislin · September 2023

<@U027KUMV39P>

Jon Rust · September 2023

I'm glad you posted that <@U01C35EMQ01>. I will be needing that in the future. It's very similar to Splunk's method, so I'm glad to see it's available the same way. :slightly_smiling_face: :skin-tone-2:

Paul Martins · September 2023

Thanks <@U01C35EMQ01>. I tried the solution, but get KEY_0: {"body" as an output

David Maislin · September 2023

I Dm'd you a zoom

Paul Martins · September 2023

sure

David Maislin · September 2023

All fixed!

Patrick Sharkey · September 2023

The world would be a better place with nicely formatted input. I don't think that David has met a poorly formatted input that he could not tame with Stream.

Extract into json objects together with the other _raw.items and rename the field

Answers

Categories