topic Re: Rex Help for fields extraction in Splunk Search

Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 15:55:06 GMT

Please help me with rex
i have key and value in json format

{"context":{

"sessionID":"1234567890",
"eventSeverity":"Debug",
"msgType":"REQUEST",
"appID":"someServices",
"eventID":"START","msgPayload":{"inboundMsg":{"msgContentType":"{"idtypes":["ABCDE","ABC"],"userName":"someName"}"}}}}
how to retrive fields out of it.

Re: Rex Help for fields extraction

sjalexander — Mon, 13 Feb 2017 16:11:51 GMT

if you can add
KV_MODE = json
to your props.conf for this sourcetype it's going to save you a lot of trouble (extraction will be automatic).

rex is most useful when automatic extraction fails; try the builtin functionality first.

more details available here:
https://answers.splunk.com/answers/124406/extracting-fields-from-json-file-format.html

Re: Rex Help for fields extraction

skoelpin — Mon, 13 Feb 2017 16:12:17 GMT

Which value do you want to extract?

Re: Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 16:13:49 GMT

sessionID,eventSeverity,msgType,appID,eventID,msgPayload,inboundMsg,msgContentType,idtypes,userName

Re: Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 16:15:27 GMT

I need during search time.

Re: Rex Help for fields extraction

somesoni2 — Mon, 13 Feb 2017 16:17:45 GMT

Is this _raw or a field?

Re: Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 16:21:47 GMT

Yes,this is _raw field

Re: Rex Help for fields extraction

somesoni2 — Mon, 13 Feb 2017 16:28:12 GMT

Try like this. The rex-sed command is requires as your data seems to have extra double quotes making it not pure json.

your current search which includes field _raw | rex mode=sed "s/\"{/{/g" | spath

Re: Rex Help for fields extraction

sjalexander — Mon, 13 Feb 2017 16:37:28 GMT

understood. If this is something you're going to do on an ongoing basis, it's still a very good idea to get this stuff indexed in a usable manner instead of relying on searchtime hacks. If it's a one-off, carry on 🙂

Re: Rex Help for fields extraction

skoelpin — Mon, 13 Feb 2017 17:29:55 GMT

I'd recommend kv_mode=json

But if you want to see how it's done then here ya go

... | rex sessionID\"\:\"(?<SessionID>\d+)
... | rex eventSeverity\"\:\"(?<EventSeverity>\w+)
... | rex msgType\"\:\"(?<msgType>\w+)
... | rex appID\"\:\"(?<AppID>\w+)
... | rex eventID\"\:\"(?<EventID>\w+)

Re: Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 17:42:44 GMT

"idtypes":["ABCDE","XYZ"]

how to write for this

Re: Rex Help for fields extraction

dbcase — Mon, 13 Feb 2017 18:12:16 GMT

what do you want to extract? ABCDE or XYZ, or the whole string ABCDE,XYZ?

Re: Rex Help for fields extraction

sravankaripe — Mon, 13 Feb 2017 18:22:58 GMT

["ABCDE","XYZ"]

entire this value

Re: Rex Help for fields extraction

dbcase — Mon, 13 Feb 2017 18:47:20 GMT

try this:

"idtypes":(?<idtypes>\S+)[,]

Re: Rex Help for fields extraction

skoelpin — Mon, 13 Feb 2017 20:08:20 GMT

Here ya go. If this answered your question, can you please accept it?

idtypes":\["(?<Name1>\w+)"\,"(?<Name2>\w+)