Need help on rex

Ram2 · ‎08-23-2024

We have json logs, from the below logs we need to get the rex for the failures count which is mentioned in the logs like (7 failures)
We need rex to get the count for failures count.

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 3 batches with 3 failures.3",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 4 batches with 4 failures.4",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 5 batches with 5 failures.5",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 7 batches with 7 failures.7",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

{"attributes": {"type" : "rar_Log__c",  "url": "/data/log/v4.0/subject/rar"},  "Application_Id__c": "MOT-Branch", "Category__c": "MOT-Branch", "Comment__c": "Class Name: MOT_Date3DayPurgeBatch - LCT Declined or Not Funded applications deletion completed 10 batches with 10 failures.10",  "Contact_Id__c": null,  "CreatedById" : 657856MHQA,  "CreatedDate": "2022-02-21T16:04:01.000+0000", "Description__c": null}

alizarei · ‎08-27-2024

hi

You can extract a rex of all failures.

| rex field =_raw ".?failures<field name>.\w "

PickleRick · ‎08-23-2024

Do you need to do this in SPL during search or are you trying to define a field extraction?

Anyway, the usual answer to "regex" and "json" in one sentence is usually "don't fiddle with regex on structured data".

WIth SPL it's relatively easy - extract your fields either with KV_MODE=json or explicitly using spath and do

| rex input=attributes.Comment__c "with (?<failures_no>\d+) failures"

With field extraction it might not be that easy because transforms which you could call on a json-extracted field are called before autoextractions. So you might actually need to define extraction based on raw data with that regex but that will be unintuitive to maintain since your data seems to be a well-formed json and with json you'd actually expect the explicitly named fields, not some funky stuff pulled from somewhere from the middle.

Ram2 · ‎08-26-2024

Hi @PickleRick,

our requirement is to set up alert on this logs and we need to trigger an alert if any failures are there greater than 0

I tied the rex u provided it’s not working, as u suggested may I know how can we do via spath

PickleRick · ‎08-26-2024

What do you mean by "it's not working"? It's supposed to work on contents of a given field. This field must be extracted before you use the rex command. Is it extracted?

Need help on rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Need help on rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR