topic Re: rex help in Splunk Search

rex help

cbiraris — Tue, 10 Dec 2024 11:41:59 GMT

Hi Team,

I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ?

sample1

Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

sample2
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu}

sample3
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"}

so its mean, "country":"IND" anywhere in Student":{} should catch by regex

Re: rex help

alizarei — Tue, 10 Dec 2024 13:03:44 GMT

The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log.
Regex:

\"country\":\": This part looks for "country":".
(?<country>[^\"]+):
(?<country>...): Creates a group named country.
[^\"]+: Matches any character other than ". This part extracts the country value.
Finally, the country value (for example, IND) is stored in a new field named country.

This structure helps extract the word country wherever it appears.

| rex field=_raw "\"country\":\"(?<country>[^\"]+)\""

You can test with this structure in regex101

(country":"([^"]+))

Re: rex help

cbiraris — Tue, 10 Dec 2024 13:21:37 GMT

I have a log which contain multiple countries in same format so it grabbing all other countries from same individual log .

for example:

Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

So if i use | rex field=_raw "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student.

Also as i stated earlier position of "country":"*" is not same for all logs. its coming between anywhere Student:{*}

Re: rex help

ITWhisperer — Tue, 10 Dec 2024 13:21:09 GMT

This looks like JSON - you might be better off using spath to parse the event.

Re: rex help

cbiraris — Tue, 10 Dec 2024 13:23:36 GMT

Can you help with spath

Re: rex help

ITWhisperer — Tue, 10 Dec 2024 16:42:31 GMT

Please share your anonymised raw event in a code block (using the </> button)

Re: rex help

PickleRick — Tue, 10 Dec 2024 17:58:07 GMT

Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.

Re: rex help

rishabhshah — Wed, 11 Dec 2024 15:08:16 GMT

Try this regex -

Student.*?country\"\:\"(?<country>[\w]+)\"