Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the specific key value pair ?

mlevsh
Builder
‎05-04-2021 05:52 PM

We have the following data ingested (not json format) , where we are trying to extract 
"DeletedImages": 0 and "DeletedImages": 24 value pairs

Data:

2021-05-04 - 13:50:41.878 - INFO : Action completed in 0.192996025085 seconds, result is {
"images-deleted": 0,
"metrics": {
"Action": "Ec2DeleteImageAction",
"Data": {
"DeletedImages": 0
},
"Version": "1.0",
"Type": "action",
"ActionId": "12345"
},
"account": "123456789",
"task": "ABCD-EFGE-QAQ-DELETE-IMAGE",
"images": 535,
"region": "ab-east-1"
} - ReconNum:123456678901234

2021-05-04 - 13:55:41.878 - INFO : Action completed in 0.192996025085 seconds, result is {
"images-deleted": 0,
"metrics": {
"Action": "Ec2DeleteImageAction",
"Data": {
"DeletedImages": 24
},
"Version": "1.0",
"Type": "action",
"ActionId": "12345"
},
"account": "123456788",
"task": "ABCD-EFGE-QAQ-DELETE-IMAGE",
"images": 536,
"region": "ab-east-1"
} - ReconNum:123456678901235

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-04-2021 06:03 PM

Use rex with

| rex field=_raw "DeletedImages.:\s(?<DeletedImageCount>\d+)"

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-04-2021 06:03 PM

Use rex with

| rex field=_raw "DeletedImages.:\s(?<DeletedImageCount>\d+)"

 

Reply
Solved! Jump to solution

mlevsh
Builder
‎05-05-2021 12:51 PM

@bowesmana  Thank you! That worked perfectly!

 
 
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-04-2021 06:05 PM

Assuming that is two events. If it is a single event and you need to extract both values from it, then modify the rex statement like this

| rex field=_raw max_match=0 "DeletedImages.:\s(?<DeletedImageCount>\d+)"

and you will get a multi value field with the two values

 

Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...