Solved: Splunk extract exact match for a customer name

balash1979 · ‎08-15-2019

Here is my splunk log line

{"line":"2019-08-15T17:48:28.935Z LCS {\"configName\":\"Apple-SQS\",\"customerName\":\"Apple\"} INFO  i.r.p.s.Processor - finished processing}

When I search , I am trying the following

index=docker_logs_index  | search "Apple"

My search is catching Apple because Apple is part of configName but I only want to see results if customerName is Apple.
How can I modify my splunk query to accomplish that.

mayurr98 · ‎08-15-2019

Try this:

 .. | rex "customerName\\\\\":\\\\\"(?<customerName>[^\\\]+)" | search customerName="Apple"

OR

  | rex "customerName\\\\\":\\\\\"(?<customerName>\w+)" | search customerName="Apple"

View solution in original post

Sukisen1981 · ‎08-15-2019

try this

 index=docker_logs_index | rex field=_raw "customerName\\\+\"+\:+\\\+\"(?<custname>.*?)\\\+\"" | where custname="Apple"

mayurr98 · ‎08-15-2019

Try this:

 .. | rex "customerName\\\\\":\\\\\"(?<customerName>[^\\\]+)" | search customerName="Apple"

OR

  | rex "customerName\\\\\":\\\\\"(?<customerName>\w+)" | search customerName="Apple"

Splunk extract exact match for a customer name

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!