topic Re: rex help... in Splunk Search

rex help...

msarkaus — Tue, 15 Oct 2024 18:06:51 GMT

Greetings,

Please help!!

I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t get past all of the special characters.

I’ve tried using different combinations like this:

| eval msg=”the event” | rex "msg =(?< policyId >\w+)” | table policyId

But what I would really like to have something like this in my dashboard:

Starting Controller Q123456789

CallStatus=Success Q123456789

Starting Controller Q123456788

CallStatus=Success Q123456788

Starting Controller Q123456787

CallStatus=Success Q123456787

And so on.

Is this possible?

Your help is always appreciated.

Thanks

Starting Controller=Fall Action=GetFallReportAssessment data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}

API=/api/Fall/reportAssessment/ CallStatus=Success Controller=Fall Action=GetFallReportAssessment Duration=27 data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}

Re: rex help...

ITWhisperer — Tue, 15 Oct 2024 12:16:20 GMT

| rex "\"policyId\":\"(?<policyId>\w+)\""

Re: rex help...

richgalloway — Tue, 15 Oct 2024 12:27:46 GMT

Regular expressions are very literal - they match exactly what they are told to match or they don't match at all. In the attempted SPL, the rex command expects to find the letters 'm', 's', 'g', a space, and '=' in that order, but they are not present in the sample events so no policyId field can be extracted. Try this

| rex field=msg "policyId\\\":\\\"(?<policyId>\w+)"

Re: rex help...

msarkaus — Tue, 15 Oct 2024 12:59:09 GMT

Unfortunately, it didn't pick up the policy ID. It returns a blank table

Re: rex help...

msarkaus — Tue, 15 Oct 2024 13:03:30 GMT

It returns a blank table.

Re: rex help...

ITWhisperer — Tue, 15 Oct 2024 13:06:02 GMT

If the rex isn't working, it is probably because it doesn't match precisely to the event you have. Please repost your events in a code block </> to preserve the formatting which will be important to getting the rex correct.

Re: rex help...

msarkaus — Tue, 15 Oct 2024 13:24:15 GMT

</API=/api/full/reportAssessment/ CallStatus=Success Controller=Full Action=GetfullReportAssessment Duration=5 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}>

</Starting Controller=Full Action=GetClueReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}/

Re: rex help...

ITWhisperer — Tue, 15 Oct 2024 13:32:37 GMT

This is a code block

</API=/api/full/reportAssessment/ CallStatus=Success Controller=Full Action=GetfullReportAssessment Duration=5 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}> </Starting Controller=Full Action=GetClueReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"}/

The rex pattern provided would extract the policyId from this so there is probably something different about the event as you have shown it and your actual events. If you don't provide accurate (enough) information, we will not be able to provide you with an accurate (enough) solution.

Re: rex help...

richgalloway — Tue, 15 Oct 2024 14:09:06 GMT

Please share the full SPL you ran. The one command I provided will not return a table so we need to know how you are creating a table.

Re: rex help...

msarkaus — Tue, 15 Oct 2024 15:59:49 GMT

Sorry.... I'm going to need to combine the policyid for both logs into one. Both do not work..

Thanks again for your help..

Call out

index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*")

| eval msgTxt "Starting Controller=Full Action=GetFullReportAssessment data={"policyId":"Q123456789","inceptionDate":"20241011","postDate":"1900-01-01T12:00:00"}"

| rex "\"policyId\":\"(?<policyId>\w+)\""

| table policyId

Response

index=xxx appSubLvlNam="QAA" (msgTxt="Starting Controller=Full Action=GetFullReportAssessment data*" OR msgTxt="API=/api/full/reportAssessment/ CallStatus=Success*")

| eval msgTxt "API=/api/full/reportAssessment/ CallStatus=Success Controller=full Action=GetFullReportAssessment Duration=17 data={"policyId":"Q123456789","inceptionDate":"20241015","postDate":"1900-01-01T12:00:00"} "

| rex "\"policyId\":\"(?<policyId>\w+)\""

| table policyId

Re: rex help...

ITWhisperer — Tue, 15 Oct 2024 16:17:11 GMT

You need to provide your raw event in a code block - use this button

to open a code block and paste your raw event into it so we can see exactly what you are dealing with