Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on rex

Ram2
Explorer
‎08-23-2024 02:48 PM

We have json logs, from the below logs we need to get the rex for the failures count which is mentioned in the logs like (7 failures)
We need rex to get the count for failures  count.

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 3 batches with 3 failures.3",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 4 batches with 4 failures.4",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 5 batches with 5 failures.5",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 7 batches with 7 failures.7",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 10 batches with 10 failures.10",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

 

0 Karma
Reply

alizarei
Loves-to-Learn
‎08-27-2024 08:43 AM

hi 

You can extract a rex of all failures.

| rex field =_raw ".?failures<field name>.\w "
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-23-2024 03:25 PM

Do you need to do this in SPL during search or are you trying to define a field extraction?

Anyway, the usual answer to "regex" and "json" in one sentence is usually "don't fiddle with regex on structured data".

WIth SPL it's relatively easy - extract your fields either with KV_MODE=json or explicitly using spath and do

| rex input=attributes.Comment__c "with (?<failures_no>\d+) failures"

With field extraction it might not be that easy because transforms which you could call on a json-extracted field are called before autoextractions. So you might actually need to define extraction based on raw data with that regex but that will be unintuitive to maintain since your data seems to be a well-formed json and  with json you'd actually expect the explicitly named fields, not some funky stuff pulled from somewhere from the middle.

0 Karma
Reply

Ram2
Explorer
‎08-26-2024 12:36 PM

Hi @PickleRick,

our requirement is to set up alert on this logs and we need to trigger an alert if any failures are there greater than 0

I tied the rex u provided it’s not working, as u suggested may I know how can we do via spath

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-26-2024 12:57 PM

What do you mean by "it's not working"? It's supposed to work on contents of a given field. This field must be extracted before you use the rex command. Is it extracted?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...