Knowledge Management

Need help on rex

Ram2
Explorer

We have json logs, from the below logs we need to get the rex for the failures count which is mentioned in the logs like (7 failures)
We need rex to get the count for failures  count.

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 3 batches with 3 failures.3",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 4 batches with 4 failures.4",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 5 batches with 5 failures.5",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 7 batches with 7 failures.7",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 10 batches with 10 failures.10",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

 

0 Karma

alizarei
Engager

hi 

You can extract a rex of all failures.

| rex field =_raw ".?failures<field name>.\w " 
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Do you need to do this in SPL during search or are you trying to define a field extraction?

Anyway, the usual answer to "regex" and "json" in one sentence is usually "don't fiddle with regex on structured data".

WIth SPL it's relatively easy - extract your fields either with KV_MODE=json or explicitly using spath and do

| rex input=attributes.Comment__c "with (?<failures_no>\d+) failures"

With field extraction it might not be that easy because transforms which you could call on a json-extracted field are called before autoextractions. So you might actually need to define extraction based on raw data with that regex but that will be unintuitive to maintain since your data seems to be a well-formed json and  with json you'd actually expect the explicitly named fields, not some funky stuff pulled from somewhere from the middle.

0 Karma

Ram2
Explorer

Hi @PickleRick,

our requirement is to set up alert on this logs and we need to trigger an alert if any failures are there greater than 0

I tied the rex u provided it’s not working, as u suggested may I know how can we do via spath

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What do you mean by "it's not working"? It's supposed to work on contents of a given field. This field must be extracted before you use the rex command. Is it extracted?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...