Hello,
I have a pile of JSON data and I want to extract only specific segments from the data.
For instance, I have this entry that has 38 sections all separated by "\r\n" and I want to create a filter that only separates data from sections 17 - 24. What would be the easiest way to go about doing that?
I cannot use kv because some data has fields and values while other sections only have values.
Here is the data in JSON
{"EventReceivedTime":"2018-05-21 17:02:35","SourceModuleName":"in","SourceModuleType":"im_file","message":"---Begin event transaction---\r\nSetting up rg parser...\r\nSetting up rg2 parser...\r\nSetting up rg3 parser...\r\nParsing event message...\r\nCreating an Array of the parsed AD event...\r\nMay 07 09:14:08 2018\r\n665\r\nSecurity\r\nTestServer\r\nUser\r\nSuccess Audit\r\nTestDomainController\r\nAccount Management\r\nMay 7 09:14:13 adevents:\r\nSecurity Disabled Universal Group Member Added\r\nMember Name: -\r\nMember ID: %{S-1-5-21-26028188-150678075-188441444-171629}\r\nTarget Account Name: TestAccount\r\nTarget Domain: TestDomain\r\nTarget Account ID: %{S-1-5-21-26028188-150678075-188441444-110557}\r\nCaller User Name: TestServer\r\nCaller Domain: TestDomain\r\nCaller Logon ID: (0x0,0x4FC530E)\r\nPrivileges: -\r\nMay 7 09:14:13 adevents:\r\nArray Count = 20\r\nStoring event time, event ID, and the event log type...\r\nDetermining if the event type matches known events...\r\nDetermining the user who initiated the event...\r\nTestServer\r\nTestDomain\r\nDetermining domain/user being altered...\r\nDetermining group domain/user is being added to or removed from...\r\nJoining event details for later database placement...---Event Reporting Complete---"}
Many thanks.