topic Need help in splunk regex in Splunk Search

Need help in splunk regex

pswalia06 — Tue, 29 Sep 2020 19:59:48 GMT

{"runDate":"2018-05-26T02:42:42 BRT","dataDate":"20180524","jobName":"autocompleteIndexerCounters","counterList":[{"counterName":"autocompleteIndexer.output.featureTypeCount","counterValue":[{"type":"appname","count":101},{"type":"tld","count":253},{"type":"keyword","count":2927}]},{"counterName":"autocompleteIndexer.output.top_5_popular_tlds","counterValue":[{"token":"windows2universe.org","userCount":62.981969934674},{"token":"lifehacker.com","userCount":62.964321782051435},{"token":"cartier.com","userCount":62.9401599579562},{"token":"ralphlauren.com","userCount":62.93481540700425},{"token":"rolex.com","userCount":62.933701958889266}]},{"counterName":"autocompleteIndexer.output.top_5_popular_appnames","counterValue":[{"token":"Facebook","userCount":100.0},{"token":"Spotify","userCount":95.26094213298802},{"token":"com.facebook.orca","userCount":93.11922468380857},{"token":"com.apple.appstored","userCount":70.68313382198859},{"token":"Netflix","userCount":65.30195042706302}]},{"counterName":"autocompleteIndexer.output.top_5_popular_keywords","counterValue":[{"token":"lamborghini","userCount":99.94711121453807},{"token":"mercedes","userCount":99.78833351334077},{"token":"bmw","userCount":99.69614000941976},{"token":"benz","userCount":99.41822335991877},{"token":"mercedes benz","userCount":99.41822335991877}]},{"counterName":"autocompleteIndexer.output.googleTldCount","counterValue":[{"token":"google.com","userCount":57.73100429679627}]},{"counterName":"autocompleteIndexer.output.appleTldCount","counterValue":[{"token":"apple.com","userCount":57.7610117234952}]},{"counterName":"autocompleteIndexer.output.iphoneKeywordCount","counterValue":[]},{"counterName":"autocompleteIndexer.output.androidKeywordCount","counterValue":[]},{"counterName":"autocompleteIndexer.output.facebookAppCount","counterValue":[{"token":"Facebook","userCount":100.0}]},{"counterName":"autocompleteIndexer.output.instagramAppCount","counterValue":[]}],"projectName":"Palomar","releaseVersion":"1.4.0.amxbeta"}

index=orion-platform source="/opt/bda/logs/palomar-metrics/autocompleteIndexerCounters.json" | spath output=AAAAA path=counterList{1} | rex field=AAAAA "token\":\"(?.*?)\",\"userCount\":(?\d+)}" max_match=100 | table Token,Count

But no value is coming

Re: Need help in splunk regex

493669 — Thu, 14 Jun 2018 09:55:04 GMT

Hi @pswalia06,
Try this:

...| rex field=AAAAA "token\":\"(?<Token>.*?)\",\"userCount\":(?<Count>[^}]+)" max_match=100 | table Token,Count

Re: Need help in splunk regex

ansif — Thu, 14 Jun 2018 09:59:58 GMT

Check if below works:

| makeresults 
| eval _raw="{\"runDate\":\"2018-05-26T02:42:42 BRT\",\"dataDate\":\"20180524\",\"jobName\":\"autocompleteIndexerCounters\",\"counterList\":[{\"counterName\":\"autocompleteIndexer.output.featureTypeCount\",\"counterValue\":[{\"type\":\"appname\",\"count\":101},{\"type\":\"tld\",\"count\":253},{\"type\":\"keyword\",\"count\":2927}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_tlds\",\"counterValue\":[{\"token\":\"windows2universe.org\",\"userCount\":62.981969934674},{\"token\":\"lifehacker.com\",\"userCount\":62.964321782051435},{\"token\":\"cartier.com\",\"userCount\":62.9401599579562},{\"token\":\"ralphlauren.com\",\"userCount\":62.93481540700425},{\"token\":\"rolex.com\",\"userCount\":62.933701958889266}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_appnames\",\"counterValue\":[{\"token\":\"Facebook\",\"userCount\":100.0},{\"token\":\"Spotify\",\"userCount\":95.26094213298802},{\"token\":\"com.facebook.orca\",\"userCount\":93.11922468380857},{\"token\":\"com.apple.appstored\",\"userCount\":70.68313382198859},{\"token\":\"Netflix\",\"userCount\":65.30195042706302}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_keywords\",\"counterValue\":[{\"token\":\"lamborghini\",\"userCount\":99.94711121453807},{\"token\":\"mercedes\",\"userCount\":99.78833351334077},{\"token\":\"bmw\",\"userCount\":99.69614000941976},{\"token\":\"benz\",\"userCount\":99.41822335991877},{\"token\":\"mercedes benz\",\"userCount\":99.41822335991877}]},{\"counterName\":\"autocompleteIndexer.output.googleTldCount\",\"counterValue\":[{\"token\":\"google.com\",\"userCount\":57.73100429679627}]},{\"counterName\":\"autocompleteIndexer.output.appleTldCount\",\"counterValue\":[{\"token\":\"apple.com\",\"userCount\":57.7610117234952}]},{\"counterName\":\"autocompleteIndexer.output.iphoneKeywordCount\",\"counterValue\":[]},{\"counterName\":\"autocompleteIndexer.output.androidKeywordCount\",\"counterValue\":[]},{\"counterName\":\"autocompleteIndexer.output.facebookAppCount\",\"counterValue\":[{\"token\":\"Facebook\",\"userCount\":100.0}]},{\"counterName\":\"autocompleteIndexer.output.instagramAppCount\",\"counterValue\":[]}],\"projectName\":\"Palomar\",\"releaseVersion\":\"1.4.0.amxbeta\"}"| search _raw="{\"runDate\":\"2018-05-26T02:42:42 BRT\",\"dataDate\":\"20180524\",\"jobName\":\"autocompleteIndexerCounters\",\"counterList\":[{\"counterName\":\"autocompleteIndexer.output.featureTypeCount\",\"counterValue\":[{\"type\":\"appname\",\"count\":101},{\"type\":\"tld\",\"count\":253},{\"type\":\"keyword\",\"count\":2927}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_tlds\",\"counterValue\":[{\"token\":\"windows2universe.org\",\"userCount\":62.981969934674},{\"token\":\"lifehacker.com\",\"userCount\":62.964321782051435},{\"token\":\"cartier.com\",\"userCount\":62.9401599579562},{\"token\":\"ralphlauren.com\",\"userCount\":62.93481540700425},{\"token\":\"rolex.com\",\"userCount\":62.933701958889266}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_appnames\",\"counterValue\":[{\"token\":\"Facebook\",\"userCount\":100.0},{\"token\":\"Spotify\",\"userCount\":95.26094213298802},{\"token\":\"com.facebook.orca\",\"userCount\":93.11922468380857},{\"token\":\"com.apple.appstored\",\"userCount\":70.68313382198859},{\"token\":\"Netflix\",\"userCount\":65.30195042706302}]},{\"counterName\":\"autocompleteIndexer.output.top_5_popular_keywords\",\"counterValue\":[{\"token\":\"lamborghini\",\"userCount\":99.94711121453807},{\"token\":\"mercedes\",\"userCount\":99.78833351334077},{\"token\":\"bmw\",\"userCount\":99.69614000941976},{\"token\":\"benz\",\"userCount\":99.41822335991877},{\"token\":\"mercedes benz\",\"userCount\":99.41822335991877}]},{\"counterName\":\"autocompleteIndexer.output.googleTldCount\",\"counterValue\":[{\"token\":\"google.com\",\"userCount\":57.73100429679627}]},{\"counterName\":\"autocompleteIndexer.output.appleTldCount\",\"counterValue\":[{\"token\":\"apple.com\",\"userCount\":57.7610117234952}]},{\"counterName\":\"autocompleteIndexer.output.iphoneKeywordCount\",\"counterValue\":[]},{\"counterName\":\"autocompleteIndexer.output.androidKeywordCount\",\"counterValue\":[]},{\"counterName\":\"autocompleteIndexer.output.facebookAppCount\",\"counterValue\":[{\"token\":\"Facebook\",\"userCount\":100.0}]},{\"counterName\":\"autocompleteIndexer.output.instagramAppCount\",\"counterValue\":[]}],\"projectName\":\"Palomar\",\"releaseVersion\":\"1.4.0.amxbeta\"}"
|spath output=token path=counterList{}.counterValue{}.token
| spath output=Count path=counterList{}.counterValue{}.userCount
| eval data=mvzip(token,Count)
| table data| mvexpand data 
| makemv data delim="," 
| eval token=mvindex(data,0),Count=mvindex(data,1) 
| fields - data 
| table token Count