topic Re: Regular expression for json in Splunk Search

Help with Regular expression for json

chvenu17 — Mon, 11 Apr 2022 15:37:12 GMT

I need regular expression to extract JSON from message field .. Can some one help

After extract i want to parse the extracted json using spath command

{ [-]
@timestamp: 2022-04-09T05:50:04.336Z
@version: 1
file: test.log
message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}
name: test
no: 111111111111

}

Re: Regular expression for json

ITWhisperer — Sat, 09 Apr 2022 07:20:16 GMT

This assumes that the message field is immediately followed by name

(?ms)message:.+?(?<json>\{.*\})\s*name

Re: Regular expression for json

chvenu17 — Sat, 09 Apr 2022 07:36:52 GMT

Thanks for immediate response

Name is another field

The "message" field contains below sample data ..it just ends with JSON object.

I need to extract json and create new field

message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}

Re: Regular expression for json

ITWhisperer — Sat, 09 Apr 2022 07:41:03 GMT

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name"

Re: Regular expression for json

chvenu17 — Sat, 09 Apr 2022 07:48:00 GMT

Not getting, just getting empty output

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name" |table json

Re: Regular expression for json

chvenu17 — Sat, 09 Apr 2022 08:26:21 GMT

The below rex giving "{" as output ( the start of json)..Need to tweak to print to the end

|table message
| rex field=message "Request \#[0-9]+\: (?<json>.+)" |table json

Re: Regular expression for json

ITWhisperer — Sat, 09 Apr 2022 08:36:28 GMT

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"

Re: Regular expression for json

chvenu17 — Sat, 09 Apr 2022 08:41:14 GMT

it perfectly worked. What does (?ms) represents here . Can you explain

Thank you

Re: Regular expression for json

ITWhisperer — Sat, 09 Apr 2022 08:57:31 GMT

m - means multiline

s - means . will match to new line - this is actually the important one in this instance

| rex field=message "(?s)Request \#[0-9]+\: (?<json>.+)"

This should also work for you.

Re: Regular expression for json

chvenu17 — Sat, 09 Apr 2022 09:03:26 GMT

Thanks

Re: Regular expression for json

senthild — Tue, 06 Feb 2024 22:59:46 GMT

i have my json data where sometimes we are unable to see the status: closed field in some of the events as i want to write a regex to bring this in event  state: { [-]
     alert_id: orca-8452634
     closed_reason: null
     closed_time: null
     created_at: 2023-07-06T11:41:18+00:00
     high_since: null
     in_verification: null
     is_new_score: null
     last_seen: 2024-02-04T11:38:11+00:00
     last_updated: 2024-02-05T13:45:45+00:00
     low_since: 2024-02-05T13:45:45+00:00
     orca_score: 7
     risk_level: high
     rule_source: null
     score: 2
     severity: imminent compromise
     status: closed
     status_time: 2024-02-05T13:45:45+00:00
     verification_status: null

Can anyone help us to close this