Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to write regex to filter events in JSON format?

p_gurav
Champion
‎01-27-2017 03:09 AM

Hi,
Kindly help me with this issue:

{"sim-slot":"0","terminal-vendor":"Vendor","default-sms-app":"own","screen-orientation":"portrait","response-code":"200","secondary-device-type":"","international":"0","subject-region":"Lat=0,Lon=0,Alt=0,Acc=0","locale":"enUS","timestamp":"2017-01-19T13:24:22.986+00:00","user-agent":"IM-client/OMA1.0 model/brand-5.1 RCSAndrd/0.0.0 COMLib/0.00.00.rev00000","evt-client-version":"0.0.0","active-cs-call":"no","sbc-ip":"99.99.9.999:9999","transaction-id":"9aa99a9a-9aa9-99a9-a999-a9a9a999aa00","init-service-tag":"audiocall","description":"call-sip-invite-parent","call-id":"ZZZZZZZZZZZ","app-state":"foreground","module":"cs","terminal-sw-version":"0.0","imsi":"99999999999","remote-peer":"+99999999999","cell-id":"99999","platform":"phone-android","client-version":"3.10.32.rev74692","direction":"outgoing","network-bearer":"CELLULARLTE","terminal-model":"Model","sim":"mcc(000),mnc(000)","result":"success","identity":"+999999999999","device-id":"imei(9999999999),tac(99999)"}

This is my sample log and i need to filter out events having specifically description:call-sip-invite-parent AND response-code:200.
Events having response-code other than 200 for description:call-sip-invite-parent should be indexed.Kindly help with the regex

Tags (1)
0 Karma
Reply
Highlighted

Re: How to write regex to filter events in JSON format?

gcusello
Legend
‎01-27-2017 05:08 AM

Hi p_gurav,
this the regex to extract your two fields.

\"response-code\":\"(?<responsecode>[^\"]*)\".*\"description\":\"(?<description>[^\"]*)\"

you can test it at https://regex101.com/r/3RcXn1/1

Bye.
Giuseppe

0 Karma
Reply
Highlighted

Re: How to write regex to filter events in JSON format?

p_gurav
Champion
‎01-27-2017 05:24 AM

Hi Cusello,

Thanks for your reguler expression. I think their is confusion I want to send this kind of events to nullQueue for which I required REGEX stanza to be add into transforms.conf.

0 Karma
Reply
Highlighted

Re: How to write regex to filter events in JSON format?

gcusello
Legend
‎01-27-2017 05:36 AM

Ok no problem,
try this regex

\"response-code\":\"200\".*\"description\":\"call-sip-invite-parent\"

before you can test it in Splunk using regex command and if it's Ok put in transforms.conf.
Bye.
Giuseppe

0 Karma
Reply
Highlighted

Re: How to write regex to filter events in JSON format?

woodcock
Esteemed Legend
‎03-04-2017 10:05 PM

Like this (on our indexers):

props.conf:

[YourSourcetypeHere]
TRANSFORMS-t1=eliminate-RC200-and-CSIP

transforms.conf:

[eliminate-RC200-and-CSIP]
REGEX = (?ms)\"response-code\":\"200\".*\"description\":\"call-sip-invite-parent\"
DEST_KEY = queue
FORMAT = nullQueue

Bounce splunkd on each indexer and all future events to be indexed will be filtered.

0 Karma
Reply