Say you are extracting data that has nested JSON. Splunk may auto-escape double quotes. You can’t then directly run spath on that field and get anything out of it. You have to remove the backslashes. You need to use the “eval” function and for some reason stuff in 4 backslashes. Like this:
| eval MyDataField=replace(MyDataField,”\\\\”,””)
Splunk answer about this:
No comments:
Post a Comment