topic Re: How to write regex to filter events in JSON format? in Splunk Search

How to write regex to filter events in JSON format?

p_gurav — Tue, 29 Sep 2020 12:36:53 GMT

Hi,
Kindly help me with this issue:

{"sim-slot":"0","terminal-vendor":"Vendor","default-sms-app":"own","screen-orientation":"portrait","response-code":"200","secondary-device-type":"","international":"0","subject-region":"Lat=0,Lon=0,Alt=0,Acc=0","locale":"en_US","timestamp":"2017-01-19T13:24:22.986+00:00","user-agent":"IM-client/OMA1.0 model/brand-5.1 RCSAndrd/0.0.0 COMLib/0.00.00.rev00000","evt-client-version":"0.0.0","active-cs-call":"no","sbc-ip":"99.99.9.999:9999","transaction-id":"9aa99a9a-9aa9-99a9-a999-a9a9a999aa00","init-service-tag":"audiocall","description":"call-sip-invite-parent","call-id":"ZZZZZZZZZZZ","app-state":"foreground","module":"cs","terminal-sw-version":"0.0","imsi":"99999999999","remote-peer":"+99999999999","cell-id":"99999","platform":"phone-android","client-version":"3.10.32.rev74692","direction":"outgoing","network-bearer":"CELLULAR_LTE","terminal-model":"Model","sim":"mcc(000),mnc(000)","result":"success","identity":"+999999999999","device-id":"imei(9999999999),tac(99999)"}

This is my sample log and i need to filter out events having specifically description:call-sip-invite-parent AND response-code:200.
Events having response-code other than 200 for description:call-sip-invite-parent should be indexed.Kindly help with the regex

Re: How to write regex to filter events in JSON format?

gcusello — Fri, 27 Jan 2017 13:08:45 GMT

Hi p_gurav,
this the regex to extract your two fields.

\"response-code\":\"(?<responsecode>[^\"]*)\".*\"description\":\"(?<description>[^\"]*)\"

you can test it at https://regex101.com/r/3RcXn1/1

Bye.
Giuseppe

Re: How to write regex to filter events in JSON format?

p_gurav — Fri, 27 Jan 2017 13:24:04 GMT

Hi Cusello,

Thanks for your reguler expression. I think their is confusion I want to send this kind of events to nullQueue for which I required REGEX stanza to be add into transforms.conf.

Re: How to write regex to filter events in JSON format?

gcusello — Fri, 27 Jan 2017 13:36:03 GMT

Ok no problem,
try this regex

\"response-code\":\"200\".*\"description\":\"call-sip-invite-parent\"

before you can test it in Splunk using regex command and if it's Ok put in transforms.conf.
Bye.
Giuseppe

Re: How to write regex to filter events in JSON format?

woodcock — Sun, 05 Mar 2017 06:05:06 GMT

Like this (on our indexers):

props.conf:

[YourSourcetypeHere]
TRANSFORMS-t1=eliminate-RC200-and-CSIP

transforms.conf:

[eliminate-RC200-and-CSIP]
REGEX = (?ms)\"response-code\":\"200\".*\"description\":\"call-sip-invite-parent\"
DEST_KEY = queue
FORMAT = nullQueue

Bounce splunkd on each indexer and all future events to be indexed will be filtered.