Solved: Help with rex field extraction?

Allampally · ‎05-10-2023

Hi All,

I have two events as below. In both the events, data format is different. We can observe extra "/" from few events. How to capture the logEntryType from both of them by using rex command ?

,\"logEntryType\":\"SUMMARY\",
,"logEntryType":"Detail",

Field Name should be "logEntryType" and values should be "SUMMARY" and "Detail".

ITWhisperer · ‎05-10-2023

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"

View solution in original post

ITWhisperer · ‎05-10-2023

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"

Allampally · ‎05-10-2023

I tried using SPATH but didn't work for me. Could you please help me to write two spaths to extract embedded json requests ?

ITWhisperer · ‎05-10-2023

For that I would need an example of your events - please share anonymised version in a code block </> so that formatting is preserved.

Allampally · ‎05-10-2023

I can't post even sample data here. Is there any link or tutorial to use spath for json requests ?

ITWhisperer · ‎05-10-2023

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Spath

Help with rex field extraction?

using Splunk Enterprise

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk