topic Re: How do you use the rex command to obtain values to be put into a table? in Splunk Search

How do you use the rex command to obtain values to be put into a table?

JyotiP — Wed, 06 Sep 2017 06:53:34 GMT

I have a query :

host=*perf* bf19f0c3-2f10-4db2-b33f-efb946b0ee24 {"StatusCode":204* | table Message
Out put  of the above query is as follows :
{"StatusCode":204,"ReasonPhrase":"No Content","Method":"GET","PathAndQuery":"/api/ibor/v2/positionValuations?businessDate=2017-09-04\u0026closeoutSchemeId=1\u0026expand=*\u0026logicalTimeId=150\u0026positionStateId=40","MessageType":"Response"}

I want to take out the following value :
1. businessDate
2. positionStateId
3. closeoutSchemeId

and put them in a table in which the basic value should be businessDate=2017-09-04, positionStateId=40,closeoutSchemeId=1

Re: How do you use the rex command to obtain values to be put into a table?

JyotiP — Wed, 06 Sep 2017 07:01:49 GMT

Output table should contain the values as follows :

businessDate=2017-09-04,
positionStateId=40,
closeoutSchemeId=1

Re: How do you use the rex command to obtain values to be put into a table?

gcusello — Wed, 06 Sep 2017 07:47:08 GMT

Hi JyotiP,
use this regex with rex command

| rex ".*businessDate(?<businessDate>[^\\]*)\\u0026closeoutSchemeId\=(?<closeoutSchemeId>[^\\]*)\\u0026.*positionStateId\=(?<positionStateId>[^\"]*)"

or extracting fields.

Test it at https://regex101.com/r/USbhRP/1

Bye.
Giuseppe

Re: How do you use the rex command to obtain values to be put into a table?

JyotiP — Wed, 06 Sep 2017 10:04:42 GMT

Hi Giuseppe,

It is not working because "\" is not supporting.

Re: How do you use the rex command to obtain values to be put into a table?

JyotiP — Wed, 06 Sep 2017 10:07:01 GMT

@cusello,
tried but given the a pattern error please refer the following
https://regex101.com/r/USbhRP/1 and please select javascript.

Re: How do you use the rex command to obtain values to be put into a table?

JyotiP — Wed, 06 Sep 2017 10:20:39 GMT

{"StatusCode":204,"ReasonPhrase":"No Content","Method":"GET","PathAndQuery":"/api/ibor/v2/positionValuations?businessDate=2017-09-04\u0026closeoutSchemeId=1\u0026expand=*\u0026logicalTimeId=150\u0026positionStateId=40","MessageType":"Response"}

The highlighted value (\u0026expand=*\u0026logicalTimeId=150\u0026) are unique every time I hit it will change, and for different query the values are different but the
businessDate=2017-09-04
closeoutSchemeId=1
positionStateId=40
will be as it is. So I want to capture only above 3 value irrespective of the values followed by the above values.

Re: How do you use the rex command to obtain values to be put into a table?

gcusello — Wed, 06 Sep 2017 10:39:01 GMT

I usually use regexes in Splunk never in Javascripts, anyway try something like

.*businessDate\=([^\\]*)\\u0026closeoutSchemeId\=([^\\]*)\\u0026.*positionStateId\=([^\"]*)

where:

Group1 is businessDate
Group2 is closeoutSchemeId
Group3 is positionStateId

test it in https://regex101.com/r/USbhRP/3
Bye.
Giuseppe

Re: How do you use the rex command to obtain values to be put into a table?

amy25 — Tue, 29 Sep 2020 21:46:18 GMT

Hi
I know it's too late to answer but I would like to contribute the following idea:

|rex ".businessDate=(?\d.-\d*)\.closeoutSchemeId=(?\d\u\d).positionStateId=(?\d)"