Re: Can you help me with my search to extract and ...

harishnpandey · ‎10-04-2018

Hi ,

I want a Splunk query to extract and stats count filed from JSON msg body.

For e.g:

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = *, Status = Success"|stats count as Success by Src,Type

app_id:  6a878fd5-540e-4a28-b7ae-970e8a91b74e   
     app_name:   contract-rules 
     org_name:   JBL    
     space_name: Production 
     message_type:   OUT    
     **msg:  2018-10-04 18:27:38.302  INFO [bill-cntct-rules-v0,57a307b46ae1593b,57a307b46ae1593b,true] 18 --- [nio-8080-exec-4] c.u.f.b.c.service.CntctRuleService    : LoggingService = ContractRule, ContractId = H235678, Type = ASC, Src = JBL, Status = Success** 
     origin:     rep    
     source_instance:    2  
     source_type:    APP/PROC/WEB   
     timestamp:  1538677658302837000    
}

harishnpandey · ‎10-05-2018

Attached snippet . Current SQL allows me to result the count using stats of fields out of msg body.

Below is my msg body
msg: 2018-10-05 18:01:50.429 INFO [billing-contract-rules-v0,873b26f593081fd6,873b26f593081fd6,true] 19 --- [nio-8080-exec-3] c.u.f.b.c.service.ContractRuleService : LoggingService = ContractRule, ContractId = MY66610, Type = CAS, Src = BMX, Status = Success

jgbricker · ‎10-05-2018

so if u put the part of my sample search below without the field=msg just prior to your pupe stats portuon it should work.

|rex “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,”

jgbricker · ‎10-09-2018

any luck?

jgbricker · ‎10-04-2018

This assumes that you have msg extracted, if not drop field=msg.

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = , Status = Success" |rex field=msg “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,” |stats count as Success by Src,Type

harishnpandey · ‎10-05-2018

Did not work

Error in 'SearchParser': Missing a search command before '^'. Error at position '228' of search query 'search index=abc org_name="JBL" c...{snipped} {errorcontext = (?P[^\,]+)\,\s+}'.

jgbricker · ‎10-05-2018

hmm seems to be something with the search syntax. Can you add a screenshot?

harishnpandey · ‎10-05-2018

Attached snippet

harishnpandey · ‎10-04-2018

Basically I want to extract Src, Type and same want to use in my stats count

jgbricker · ‎10-04-2018

Can you clarify what you want extracted from the message body? The rex command would likely work well but need to clarify your goal(s).

Can you help me with my search to extract and stats count a JSON field using Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation