Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with rex field extraction?

Allampally
Path Finder
‎05-10-2023 05:36 AM

Hi All,

I have two events as below. In both the events, data format is different. We can observe extra "/" from few events. How to capture the logEntryType from both of them by using rex command ?

,\"logEntryType\":\"SUMMARY\",
,"logEntryType":"Detail",

Field Name should be "logEntryType" and values should be "SUMMARY" and "Detail".

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:04 AM

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:04 AM

This looks like JSON, the first string being embedded JSON (within another JSON field?) - have you tried using spath to extract the fields (It might need 2 spath's to extract the embedded JSON correctly)?

If you don't want to use spath (for whatever reason), the use of rex can get a little messy

| rex max_match=0 "\\\\?\"logEntryType\\\\?\":\\\\?\"(?<logEntryType>[^\"\\\\]+)"
0 Karma
Reply
Solved! Jump to solution

Allampally
Path Finder
‎05-10-2023 06:26 AM

I tried using SPATH but didn't work for me. Could you please help me to write two spaths to extract embedded json requests ? 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:28 AM

For that I would need an example of your events - please share anonymised version in a code block </> so that formatting is preserved.

0 Karma
Reply
Solved! Jump to solution

Allampally
Path Finder
‎05-10-2023 07:18 AM

I can't post even sample data here. Is there any link or tutorial to use spath for json requests ? 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...