topic Re: rex help in Splunk Search

rex help

surekhasplunk — Fri, 25 Sep 2020 10:15:18 GMT

Hello,

index=myindex| spath "Rules{}" output=rules |mvexpand rules
| table device ip rules

Now my rules has data like below:

rules

{"name": "abc def - 123", "result": true}

i want to now make it into two columns rule_name and rule_result

can you please help me with the regex.

Re: rex help

gcusello — Fri, 25 Sep 2020 10:44:52 GMT

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

Re: rex help

ITWhisperer — Fri, 25 Sep 2020 11:15:39 GMT

Why rex and not spath again?

| spath input=rules ...

Re: rex help

gcusello — Fri, 25 Sep 2020 12:01:31 GMT

Hi @surekhasplunk,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: rex help

inventsekar — Fri, 25 Sep 2020 12:08:43 GMT

Hi @ITWhisperer .. i am from a sabbatical vacation and also i havent used spath. so i miss some context here.

may i know how spath can do the job of rex?(this is what my understanding from ur reply)..

Re: rex help

ITWhisperer — Fri, 25 Sep 2020 12:23:09 GMT

Hi @inventsekar

spath is used for parsing and extracting fields from JSON and XML strings. In this instance, spath was used to extract the rules from _raw (which must have been JSON)

index=myindex| spath "Rules{}" output=rules |mvexpand rules

It yielded the next level down which appears to be more JSON

{"name": "abc def - 123", "result": true}

So spath could have been used to extract these fields too

| spath input=rules