topic Re: Query Rex in Splunk Search

Query Rex

StepneyGeezer — Sun, 28 Nov 2021 08:46:24 GMT

Hello

Am a newbie and am looking to extract data from a sample set that looks like this (its ingested in JSON):

{
   level: info
   log: uid="302650", a_msg="HandlingStatus=Finished, Message=Changed,
   log_type: containerlogs
   stream: stdout
}

I want to extract the uid data as well as the Message which is inside the a_msg.

I have

rex field=log "uid=\"(?<uid>\d{1,}+)"

which gives me the uid, but I am REALLY struggling with the Message, ideally I would like a table to be produced so from the above data it would look like

UID, Message

-------------------

302650, PlanChanged

I am reading up on Rex and Reg Ex etc, but this particular request requires a quick turnaround and i am really struggling. Any help would be appreciated.

Many thanks

Re: Query Rex

ITWhisperer — Sun, 28 Nov 2021 09:07:37 GMT

Please can you share the raw event in a code block </> rather than a formatted version of the event?

Re: Query Rex

StepneyGeezer — Sun, 28 Nov 2021 09:15:38 GMT

{"log":"a_level=\"INFO\", a_uid=\"302650\", a_msg=\"HandlingStatus=Finished, Message=PlanChanged, MessageId=0c0277da-4b4a-4c4d-abcd-49b8c1e3f896, Result=True\", "level":"info"}

Thanks @ITWhisperer - you getting me excited, i have spent ages on this

Re: Query Rex

ITWhisperer — Sun, 28 Nov 2021 09:31:20 GMT

No wonder you are struggling - this doesn't look like correctly formatted JSON - the rex you said works, doesn't work with the string you just post since it includes backslashes which are not in the rex you shared. If the backslashes really exist in your data, try something like this (the first part before the blank lines just sets up the data you shared.

| makeresults | eval _raw="{\"log\":\"a_level=\\\"INFO\\\", a_uid=\\\"302650\\\", a_msg=\\\"HandlingStatus=Finished, Message=PlanChanged, MessageId=0c0277da-4b4a-4c4d-abcd-49b8c1e3f896, Result=True\\\", \"level\":\"info\"}" | rex "uid=\\\\\"(?<uid>\d+).+Message=(?<message>[^,]+)"

Re: Query Rex

StepneyGeezer — Sun, 28 Nov 2021 09:45:18 GMT

@ITWhisperer awesome thank you, this has saved me so much time. it is producing what i need now albeit there are some anomalies in the data but i know what to do from here...thank you so much