topic Re: Help with Rex Commands in Splunk Search

Help with Rex Commands

splunknewbie81 — Fri, 27 Aug 2021 08:51:12 GMT

Hi All,

I am having some trouble extracing out the following with the following details

1. username
2. Default Msg
3. Date
4. Time

This is what I have tried and it gives me the username but I am stuck with how to extract the date , time and defaultmsg.

can someone please help me? Thank You so much

Index=xxx-xxx
| rex (?<username>\w+@\w+.\w+)
|table username DefaultMsg Date TIme

Thank You

regards,
Alex

Re: Help with Rex Commands

isoutamo — Fri, 27 Aug 2021 09:02:58 GMT

in next time we prefer those events as text, so it's easier to check and create that rex 😉

You could try this:

.... | rex "\"defaultMsg\":\"(?<defaultMsg>[^\"]+)\".*\"userName\":\"(?<userName>[^\"]+)"

https://regex101.com/r/AtrUKE/1 You could test it with this.

Date and time you should get correctly on indexing time. Then you can take those from _time like

.... | eval date = strftime(_time, "%Y-%m-%d"), time = strftime(_time, "%H:%M:%S") | eval dispDateTime = strftime(_time, "%b %d %H:%M:%s")

r. Ismo

Re: Help with Rex Commands

ITWhisperer — Fri, 27 Aug 2021 09:05:42 GMT

Try something like this

Index=xxx-xxx | rex ^(?<Date>\w+\s\d+)\s(?<Time>\d+:\d+:\d+).+\"defaultMsg\":\s*\"(?<DefaultMsg>[^\"]+)\".+\"userName\":\s*\"(?<username>[^\"]+)\" |table username DefaultMsg Date TIme

Re: Help with Rex Commands

gcusello — Fri, 27 Aug 2021 09:11:45 GMT

Hi @splunknewbie81,

Please try this regex

| rex "(?ms)^(?<date>\w+\s\d+)\s+(?<Time>\d+:\d+:\d+).*defaultMsg\":\"(?<defaultMsg>[^\"]+).*userName\":\"(?<userName>[^\"]+)"

that you can test at https://regex101.com/r/EGsp5X/1

If you could share the ssample logs in text format instead image, I could be more precise.

ciao.

Giuseppe

Re: Help with Rex Commands

PickleRick — Fri, 27 Aug 2021 09:14:03 GMT

Why not use spath to extract data from the json part?

Re: Help with Rex Commands

splunknewbie81 — Fri, 27 Aug 2021 09:33:50 GMT

Hi @PickleRick ,

Would you mind to show me a example if you don't mind?

Thank You

Regards,

Alex

Re: Help with Rex Commands

PickleRick — Fri, 27 Aug 2021 10:44:25 GMT

Sure. First extract the raw json part into a field, then use spath to extract a value from json. Like that:

| rex "(?<jsondata>{.*})" |  spath input=jsondata path="defaultMsg" | spath input=jsondata path="userName"

Re: Help with Rex Commands

splunknewbie81 — Fri, 27 Aug 2021 11:26:11 GMT

Hi @gcusello ,

Please find pdf of the text

Re: Help with Rex Commands

gcusello — Fri, 27 Aug 2021 12:44:28 GMT

Hi @splunknewbie81,

OK, I confirm the previous regex.

Ciao.

Giuseppe

P.S.: for the next time, put the logs in the Insert/edit code sample button (the one with </>), it's easier than a pdf.

Re: Help with Rex Commands

isoutamo — Sat, 28 Aug 2021 07:38:45 GMT

Also spath is one option. But if you have lot of events and those are big then it's good to check what are cost for use it vs pure rex. You could use job inspector for that.
r. Ismo

Re: Help with Rex Commands

PickleRick — Sat, 28 Aug 2021 08:37:15 GMT

You're 100% right - spath does manipulation on a higher level so with bigger amounts of dataraw regex manipulation might indeed be faster. But spath is faster to write and might just be quick enough.

Re: Help with Rex Commands

splunknewbie81 — Thu, 02 Sep 2021 06:51:07 GMT

May I check if I can use eval command to actually filter to stop the data from showing up?

If yes, would anyone please show me how to use eval command?

Re: Help with Rex Commands

isoutamo — Thu, 02 Sep 2021 07:06:43 GMT

Hi
Probably yes, but can you create a new question for that where you give example with data and result what you are meaning. For that way it's easier for community members found this question later on.
r. Ismo