Hi. I have a problem with transformations in Splunk:
Example event(small part of it):
`Dec 1 22:29:42 127.0.0.1 1 2017-12-01 LOGSERVER 1292 - - {"event_type":"type_here","ipv4":"127.0.0.1","hostname":"pc_name.local","occured":"01-Dec-2017 22:24:34"}`
I need extract only json data:
`{"event_type":"Threat_Event","ipv4":"127.0.0.1","hostname":"pc_name.local","occured":"01-Dec-2017 22:24:34","severity":"Warning","threat_type":"potentially unsafe application"}`
and get fields from it.
I'm found one solution:
transforms.conf
`[json_extract]
SOURCE_KEY = _raw
DEST_KEY = _raw
REGEX = ^([^{]+)({.+})$
FORMAT = $2`
props.conf
`[some_sourcetype]
KV_MODE = json
TRANSFORMS-jsonextraction = json_extract`
It works! and all ok. But i need to do this using `Field Transformations` in Splunk Web.
When i'm doing this extractions in Splunk Web, i have problem with Format(more on the screenshot)
Please, help me to do this using SplunkWeb.
![alt text][1]
[1]: /storage/temp/225630-problem.png
↧