- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to write regular expression to extract few fields in this, but not able to figure this out. Can you please help me on the same.
Above is the whole log. I need to extract code,severity and message. I cant able t understand the format and fetch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @vineela,
this seems to be a Json log, so you could try to use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath).
If anyway you want to use a regex, you could try something like this:
| rex "\"code\":\"(?<code>[^\"]+)\",\"severity\":\"(?<severity>[^\"]+)\".*\"user_message\":\"(?<user_message>[^\"]+)\""
that you can test at https://regex101.com/r/8Ggre7/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @vineela,
this seems to be a Json log, so you could try to use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath).
If anyway you want to use a regex, you could try something like this:
| rex "\"code\":\"(?<code>[^\"]+)\",\"severity\":\"(?<severity>[^\"]+)\".*\"user_message\":\"(?<user_message>[^\"]+)\""
that you can test at https://regex101.com/r/8Ggre7/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gcusello,
It is working and thanks for introducing new command as well to me..I will try to check documentation for spath command.
Appreciate you for quick response
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @vineela,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
