How do i extract my field using rex;

Gaya852635 · ‎10-12-2017

Hi

How do i extract my field using rex;

Below is the sample log:
"{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}",

jodyfsu · ‎10-12-2017

Here is what I came up with:
| rex (^{{1}"{1}(?\w{4})"{1}:{1}{{1}"{1}(?\w{4})"{1}:{1}"{1}(?\d{3})"{1},{1}"{1}(?\w*)"{1}:{1}"{1}(?\w*)"{1},{1}"{1}(?\w*)"{1}:{1}(?\w*)}{2})

jodyfsu · ‎10-12-2017

Looks like some was escaped out:
"| rex (^{{1}"{1}(?\w{4})"{1}:{1}{{1}"{1}(?\w{4})"{1}:{1}"{1}(?\d{3})"{1},{1}"{1}(?\w*)"{1}:{1}"{1}(?\w*)"{1},{1}"{1}(?\w*)"{1}:{1}(?\w*)}{2})"

jodyfsu · ‎10-12-2017

my named capture groups keep getting dropped when I post.
| rex (^{{1}"{1}(?named capture group\w{4})"{1}:{1}{{1}"{1}(?named capture group\w{4})"{1}:{1}"{1}(?named capture group\d{3})"{1},{1}"{1}(?named capture group\w*)"{1}:{1}"{1}(?named capture group\w*)"{1},{1}"{1}(?named capture group\w*)"{1}:{1}(?named capture group\w*)}{2}

DalJeanis · ‎10-12-2017

@jodyfsu - you can mark your code using any of three strategies, to avoid html-like items being stripped out or interpreted as formatting.

1) For any amount of text, highlight the text and press the "mark code" button (101 010). that button works better for me on Chrome.

2) For lots of code text, put at least four spaces in front of the first non-whitespace character on each line. Make sure there is at least one completely empty line before the first code line.

3) For small pieces of code, use backticks (also called grave accents) before and after the code. That character () is found under the tilde~to the left of the1` on an American keyboard.

jodyfsu · ‎10-12-2017

Thank you.

skoelpin · ‎10-12-2017

This doesn't capture anything and also seems overkill.. I would suggest adding sample data before and after that you want to extract and one of us will give you a much cleaner regex

jodyfsu · ‎10-12-2017

"| rex (^{{1}"{1}(?<f1>\w{4})"{1}:{1}{{1}"{1}(?<f2>\w{4})"{1}:{1}"{1}(?<f3>\d{3})"{1},{1}"{1}(?<f4>\w*)"{1}:{1}"{1}(?<f5>\w*)"{1},{1}"{1}(?<f6>\w*)"{1}:{1}(?<f7>\w*)}{2})"

skoelpin · ‎10-12-2017

So you want to extract "{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}", from your log and name it OP_FRM_SRC_SYS?

Can you provide . larger sample size of characters/test before and after the field you want to extract?

sbbadri · ‎10-12-2017

@Gaya852635

try this in props.conf

[json_embedded]
REGEX = "(\w+)"."(\S+?)"
FORMAT = $1::$2

jodyfsu · ‎10-12-2017

Which field are you trying to pull out?

Gaya852635 · ‎10-12-2017

This is the fieldname:OP_FRM_SRC_SYS

OP_FRM_SRC_SYS="{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}",

jodyfsu · ‎10-12-2017

I am a little confused so please help me understand. So this is in the log:
"{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}"..... right?

Which field in the log are you trying to pull out? And are you wanting it named OP_FRM_SRC_SYS.

Please let me know what I am not following.

Gaya852635 · ‎10-12-2017

complete field "{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}"as a fieldvalue into the fieldname OP_FRM_SRC_SYS.

jodyfsu · ‎10-12-2017

Ah, ok.. I will see if I can figure this out 🙂

How do i extract my field using rex;

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?