Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on rex

Ram2
Explorer
‎08-23-2024 02:48 PM

We have json logs, from the below logs we need to get the rex for the failures count which is mentioned in the logs like (7 failures)
We need rex to get the count for failures  count.

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 3 batches with 3 failures.3",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 4 batches with 4 failures.4",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 5 batches with 5 failures.5",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 7 batches with 7 failures.7",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 10 batches with 10 failures.10",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

 

0 Karma
Reply

alizarei
Loves-to-Learn
‎08-27-2024 08:43 AM

hi 

You can extract a rex of all failures.

| rex field =_raw ".?failures<field name>.\w "
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-23-2024 03:25 PM

Do you need to do this in SPL during search or are you trying to define a field extraction?

Anyway, the usual answer to "regex" and "json" in one sentence is usually "don't fiddle with regex on structured data".

WIth SPL it's relatively easy - extract your fields either with KV_MODE=json or explicitly using spath and do

| rex input=attributes.Comment__c "with (?<failures_no>\d+) failures"

With field extraction it might not be that easy because transforms which you could call on a json-extracted field are called before autoextractions. So you might actually need to define extraction based on raw data with that regex but that will be unintuitive to maintain since your data seems to be a well-formed json and  with json you'd actually expect the explicitly named fields, not some funky stuff pulled from somewhere from the middle.

0 Karma
Reply

Ram2
Explorer
‎08-26-2024 12:36 PM

Hi @PickleRick,

our requirement is to set up alert on this logs and we need to trigger an alert if any failures are there greater than 0

I tied the rex u provided it’s not working, as u suggested may I know how can we do via spath

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-26-2024 12:57 PM

What do you mean by "it's not working"? It's supposed to work on contents of a given field. This field must be extracted before you use the rex command. Is it extracted?

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...