Extract into json objects together with the other _raw.items and rename the field

Paul Martins

Hello all, I need some help please. I have some data in _raw.body, and I'd like to extract the them into json objects together with the other _raw.items (such as _raw.ctupdate) I'd also like to rename some of the fields. Any suggestions?

Patrick Sharkey

It looks like body has some Key:Value pairs. Have you tried using a Parser() function w/source field of _raw and Type of Delimited values? Where delimiter is `:`.

David Maislin

Regex is better for that use case

David Maislin

<@U027KUMV39P&gt;

Jon Rust

I'm glad you posted that <@U01C35EMQ01&gt;. I will be needing that in the future. It's very similar to Splunk's method, so I'm glad to see it's available the same way. :slightly_smiling_face: :skin-tone-2:

David Maislin

I Dm'd you a zoom

Paul Martins

Thanks <@U01C35EMQ01&gt;. I tried the solution, but get KEY_0: {"body" as an output

Paul Martins

sure

Patrick Sharkey

The world would be a better place with nicely formatted input. I don't think that David has met a poorly formatted input that he could not tame with Stream.

David Maislin

All fixed!