I have been using the field extractor regular expression to extract a value from a field.
The problem I am running in to is that the order of the information in the field is not always consistent.
Here is a screenshot example of what I am talking about.
As you can see, I am looking to extract the integer value after the key word "valid_secs", but sometimes the order of the information is inconsistent. So when "valid_secs" and its value does not appear in the same spot, the field extractor fails to recognize the value I am attempting to extract. (this is being shown by the red arrows).
My question is this: Is there a way to extract the value after the key word "valid_secs"? So whenever the words "valid_secs" is spotted, it takes the value after it, which in the case of my screenshot would be 15000 or 3600, and stores this value in a new field name of my choice.
Is this something that is possible with splunk? Or is this type of manipulation not supported?
Any answer on whether this may or may not be possible will be greatly appreciated!
P.S. The reason I am attempting this action is this: I am trying to create an alert that gets triggered whenever the value after "valid_secs" is greater than 14400.
The reason I can't do this without the field extractor is because this information is pulled in a description field, which also has a lot of other information. A screenshot of how the event looks when it comes in is below.
Thank you very much for taking the time to help me with this issue! I really appreciate the help.
Ryan
I just wanted to let everyone know how I figured this out.
The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.
JSON format can be tricky, it omits certain special characters. So I needed to view the event as "raw text" in order to see the extra backslashes that need to be accounted for.
The Regular Expression that I typed into the Field Extractor is below:
\\"valid_secs\\":\s(?\d+)
This Regular Expression was able to successfully extract the integer value that came after the words "valid_secs" and store it into its own field which I named 'valid_secs'.
Once this new field was extracted, I was able to type in the below search to get all events in which the field "valid_secs" was greater than the value 14400:
index=duo | search valid_secs>14400
I saved that search as an alert and I now get an alert every time that event is triggered.
Thank you to anyone who took the time to help and I hope this helps.
json formatting can be tricky. Can you use rex?
| rex "\s\"value\_secs\"\:\s(?\d+)"
I have been attempting to use rex but so far have been unsuccessful. I tried your suggestion as well and to no prevail. This is a tricky little loop hole that I have not been able to find much information on anywhere. Seems like some manipulation work will be needed in order to get it working the way I want it to. Thank you for the reply anyways.