topic Re: Need help on rex in Knowledge Management

Need help on rex

Ram2 — Fri, 23 Aug 2024 21:48:07 GMT

We have json logs, from the below logs we need to get the rex for the failures count which is mentioned in the logs like (7 failures)
We need rex to get the count for failures count.

{"attributes": {"type" : "rar_Log__c", "url": "/data/log/v4.0/subject/rar"}, "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 3 batches with 3 failures.3", "Contact_Id__c": null, "CreatedById" : 657856MHQA, "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null} {"attributes": {"type" : "rar_Log__c", "url": "/data/log/v4.0/subject/rar"}, "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 4 batches with 4 failures.4", "Contact_Id__c": null, "CreatedById" : 657856MHQA, "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null} {"attributes": {"type" : "rar_Log__c", "url": "/data/log/v4.0/subject/rar"}, "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 5 batches with 5 failures.5", "Contact_Id__c": null, "CreatedById" : 657856MHQA, "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null} {"attributes": {"type" : "rar_Log__c", "url": "/data/log/v4.0/subject/rar"}, "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 7 batches with 7 failures.7", "Contact_Id__c": null, "CreatedById" : 657856MHQA, "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null} {"attributes": {"type" : "rar_Log__c", "url": "/data/log/v4.0/subject/rar"}, "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 10 batches with 10 failures.10", "Contact_Id__c": null, "CreatedById" : 657856MHQA, "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

Re: Need help on rex

PickleRick — Fri, 23 Aug 2024 22:25:59 GMT

Do you need to do this in SPL during search or are you trying to define a field extraction?

Anyway, the usual answer to "regex" and "json" in one sentence is usually "don't fiddle with regex on structured data".

WIth SPL it's relatively easy - extract your fields either with KV_MODE=json or explicitly using spath and do

| rex input=attributes.Comment__c "with (?<failures_no>\d+) failures"

With field extraction it might not be that easy because transforms which you could call on a json-extracted field are called before autoextractions. So you might actually need to define extraction based on raw data with that regex but that will be unintuitive to maintain since your data seems to be a well-formed json and with json you'd actually expect the explicitly named fields, not some funky stuff pulled from somewhere from the middle.

Re: Need help on rex

Ram2 — Mon, 26 Aug 2024 19:36:23 GMT

Hi @PickleRick,

our requirement is to set up alert on this logs and we need to trigger an alert if any failures are there greater than 0

I tied the rex u provided it’s not working, as u suggested may I know how can we do via spath

Re: Need help on rex

PickleRick — Mon, 26 Aug 2024 19:57:22 GMT

What do you mean by "it's not working"? It's supposed to work on contents of a given field. This field must be extracted before you use the rex command. Is it extracted?

Re: Need help on rex

alizarei — Tue, 27 Aug 2024 15:47:04 GMT

You can extract a rex of all failures.

| rex field =_raw ".?failures<field name>.\w "