Splunk Enterprise

Help with rex field extraction?

Allampally
Path Finder

Hi All,

I have two events as below. In both the events, data format is different. We can observe extra "/" from few events. How to capture the logEntryType from both of them by using rex command ?

,\"logEntryType\":\"SUMMARY\",
,"logEntryType":"Detail",

Field Name should be "logEntryType" and values should be "SUMMARY" and "Detail".

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"
0 Karma

Allampally
Path Finder

I tried using SPATH but didn't work for me. Could you please help me to write two spaths to extract embedded json requests ? 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For that I would need an example of your events - please share anonymised version in a code block </> so that formatting is preserved.

0 Karma

Allampally
Path Finder

I can't post even sample data here. Is there any link or tutorial to use spath for json requests ? 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...