topic Re: How to write query-rex to get table inside table data? in Splunk Enterprise Security

How to write query-rex to get table inside table data?

rashhvarikuti — Thu, 12 Mar 2020 11:37:56 GMT

How to write a rex query for table inside table for the below case

"studentInfo": {
"name": "Apple",
"id": "57",
"batch": "2006",
"subjects": {
"subject1": "English"
}
}

index=schoolIndex sourcetype=dev studentInfo | rex field=_raw "\"contentversions\":(?.*)}+" | spath input=message | table name id subjects

Re: How to write query-rex to get table inside table data?

wmyersas — Thu, 12 Mar 2020 13:36:50 GMT

What do you want to rex out?

It's JSON - and should be coming at least mostly preparsed into Splunk

Are you sure something like the following won't work:

index=schoolindex sourcetype=dev studentInfo.subjects{}=*
| stats values(studentInfo.subjects) by studentInfo.id

Re: How to write query-rex to get table inside table data?

rashhvarikuti — Thu, 12 Mar 2020 16:39:35 GMT

Yes, I tried similar way but it's getting no results(but results are there I tried "index= schoolindex sourcetype=dev jobId=8e62-71c72ccb3aec studentInfo" and getting data):

index= schoolindex sourcetype=dev jobId=8e62-71c72ccb3aec studentInfo. subjects{}=*
| stats values(studentInfo. subjects) by studentInfo.id

Re: How to write query-rex to get table inside table data?

to4kawa — Fri, 13 Mar 2020 11:10:48 GMT

| makeresults 
| eval _raw ="\"studentInfo\": {
\"name\": \"Apple\",
\"id\": \"57\",
\"batch\": \"2006\",
\"subjects\": {
\"subject1\": \"English\"
}
}"
| rex max_match=0 "\"(?<fieldname>.*?)\": \"(?<fieldvalue>.*?)\""
| eval _raw=mvzip(fieldname,fieldvalue,"=")
| kv
| fields - _* field*