topic Re: Using regex to extract summary in Splunk Search

Using regex to extract summary

bigll — Mon, 29 Apr 2024 21:48:35 GMT

in raw data I have portion that I would like to use in report.

"changes":{"description":{"before":"<some text or empty>","after":"<some text or empty>"}}

I created

rex summary= "changes":\{"description":\{"before":"<some text or empty>","after":"<some text or empty>"\}\})"

But it doesn't work.

Please advise

Re: Using regex to extract summary

ITWhisperer — Mon, 29 Apr 2024 22:26:22 GMT

This is not how rex works - you need to provide a pattern as a regular expression to identify what you want to extract. For example, do you want everything from "change" to "}}"? Does this pattern hold true for all your event where you want to extract this field?

Aside from that, this looks like json - why aren't you using spath or the other json functions to extract the json field?

Re: Using regex to extract summary

gcusello — Tue, 30 Apr 2024 05:28:04 GMT

Hi @bigll ,

as @ITWhisperer said, this seems to be a json format so the INDEXED_ENTRACTION = json option in props.conf or the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) is the easiest solution to your requirement.

Then the rex command has a different format to extract fields: the fied definition must be located inside the rex definition, as the following example using your data:

| rex "before\":\"(?<summary_before>[^\"]+)\".\"after\":\"(?<summary_after>[^\"]+)"

You can see how to extract and test your regex at https://regex101.com/r/22aHz1/1

Ciao.

Giuseppe

Re: Using regex to extract summary

bigll — Tue, 30 Apr 2024 11:05:45 GMT

Thank you for your message.

You are correct, I need everything between {} as a value of the field I can include in the table.

Re: Using regex to extract summary

ITWhisperer — Tue, 30 Apr 2024 11:15:46 GMT

Try this

| rex "\"changes\":(?<changes>\{.*?\}\})"