Archive

Rex Help for fields extraction

Path Finder

Please help me with rex
i have key and value in json format

{"context":{

"sessionID":"1234567890",
"eventSeverity":"Debug",
"msgType":"REQUEST",
"appID":"someServices",
"eventID":"START","msgPayload":{"inboundMsg":{"msgContentType":"{"idtypes":["ABCDE","ABC"],"userName":"someName"}"}}}}
how to retrive fields out of it.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Which value do you want to extract?

View solution in original post

0 Karma

Revered Legend

Try like this. The rex-sed command is requires as your data seems to have extra double quotes making it not pure json.

your current search which includes field _raw | rex mode=sed "s/\"{/{/g" | spath

Revered Legend

Is this _raw or a field?

0 Karma

Path Finder

Yes,this is _raw field

0 Karma

SplunkTrust
SplunkTrust

Which value do you want to extract?

View solution in original post

0 Karma

Path Finder

sessionID,eventSeverity,msgType,appID,eventID,msgPayload,inboundMsg,msgContentType,idtypes,userName

0 Karma

SplunkTrust
SplunkTrust

I'd recommend kv_mode=json

But if you want to see how it's done then here ya go

... | rex sessionID\"\:\"(?<SessionID>\d+)
... | rex eventSeverity\"\:\"(?<EventSeverity>\w+)
... | rex msgType\"\:\"(?<msgType>\w+)
... | rex appID\"\:\"(?<AppID>\w+)
... | rex eventID\"\:\"(?<EventID>\w+)
0 Karma

Path Finder

"idtypes":["ABCDE","XYZ"]

how to write for this

0 Karma

Motivator

what do you want to extract? ABCDE or XYZ, or the whole string ABCDE,XYZ?

0 Karma

Path Finder

["ABCDE","XYZ"]

entire this value

0 Karma

SplunkTrust
SplunkTrust

Here ya go. If this answered your question, can you please accept it?

idtypes":\["(?<Name1>\w+)"\,"(?<Name2>\w+)

0 Karma

Motivator

try this:

"idtypes":(?<idtypes>\S+)[,]
0 Karma

Path Finder

if you can add
KV_MODE = json
to your props.conf for this sourcetype it's going to save you a lot of trouble (extraction will be automatic).

rex is most useful when automatic extraction fails; try the builtin functionality first.

more details available here:
https://answers.splunk.com/answers/124406/extracting-fields-from-json-file-format.html

0 Karma

Path Finder

I need during search time.

0 Karma

Path Finder

understood. If this is something you're going to do on an ongoing basis, it's still a very good idea to get this stuff indexed in a usable manner instead of relying on searchtime hacks. If it's a one-off, carry on 🙂

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!