Splunk Enterprise

How to extract field for statement.

jw44250
New Member

serialNumber":"test1234","serviceChannel":"test","countryOfPurchase":"US",

serialNumber":"test1294","serviceChannel":"test","countryOfPurchase":"ind",

serialNumber":"test12836","serviceChannel":"test","countryOfPurchase":"ind",

serialNumber":"test125","serviceChannel":"test","countryOfPurchase":"chi",

how filter

serialNumber":"test1234"

using row in splunk

i have tried : but dint work

rex field=_raw "(?serialNumber.*)"

0 Karma

TISKAR
Builder

Hello,

If you try this:

  | makeresults | eval _raw="\"serialNumber\":\"test1234\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"US\""
    | rex field=_raw "\"serialNumber\":\"(?<serialNumber>\w*)"
    | table serialNumber

In any case you can use Field Extractor UI
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

mayurr98
SplunkTrust
SplunkTrust

hello,

I am sure the answer given by @niketnilay should work but if you are looking to just extract serialNumber then you can go with the following query:

Try this run anywhere search

| makeresults 
| eval _raw="{\"serialNumber\":\"test12836\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"ind\"}" 
| rex "serialNumber\":\"(?<serialNumber>[^\"]+)"

In your environment, you should try

<base query> | rex "serialNumber\":\"(?<serialNumber>[^\"]+)"

let me know if this helps!

0 Karma

jw44250
New Member

I want to run Ad hac command.

0 Karma

niketnilay
Legend

@jw44250, does the raw event contain only xml data? If so, you can set KV_MODE=JSON in your props.conf. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#Alternatives_to_the_spath_c....

Also would it be possible for you to add complete JSON with sample/mocked up data? Are there multiple serialNumbers in single JSON or is there one serial number per JSON as in example from the question?

You should explore the spath command for traversing JSON Data. Following is a run anywhere search based on one of them:

|  makeresults
|  eval _raw="{\"serialNumber\":\"test12836\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"ind\"}"
|  spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jw44250
New Member

My json: searchBase | spath output=myfield path=test |table myfield

The above query should work but not working..

{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 134
},
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 139
}

0 Karma

niketnilay
Legend

@jw44250, the JSON you have posted seems to be having incorrect structure (only first part can be traversed, Validate with any JSON Editor):

|  makeresults
|  eval _raw="{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 134
},
{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 139
}"
|  spath

Following is the correct structure for JSON

|  makeresults
|  eval _raw="{
    \"test1\":{
        \"foo\" : {
            \"bar\" : [
                        {\"zoo\" : 1},
                        {\"baz\" : 2}
                    ]
            },
        \"test\": 134
    },
    \"test2\":{
        \"foo\" : {
            \"bar\" : [
                        {\"zoo\" : 1},
                        {\"baz\" : 2}
                    ]
            },
        \"test\": 139
    }
}"
|  spath

If rectifying the JSON is out of question, you should use rex to extract required field based on Regular Expression.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jw44250
New Member

When u have json and text together it ownt work

This is my json from server .....
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 134
},
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 139
}

0 Karma

niketnilay
Legend

Can you try the following rex if you need to extract the multi-valued test field | rex "\"test\"\:\s(?<test>\d+)" max_match=0

|  makeresults
|  eval _raw="{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 134
},
{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 139
}"
|  rex "\"test\"\:\s(?<test>\d+)" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

deepashri_123
Motivator

Hey jw44250,

Try using this:

| rex field=_raw "serialNumber\"\:\"(?P<SerialNumber>[^\"]+)\""

Let me know if this helps!!

0 Karma

jw44250
New Member

Getting this below error
Error in 'rex' command: Encountered the following error while compiling the regex 'serialNumber":"(?P[^"]+)"': Regex: unrecognized character after (?P

0 Karma

deepashri_123
Motivator

I have edited my answer... can u try now?

0 Karma

kmaron
Motivator

Try this:

| rex field=_raw "serialNumber\":\"(?<serialNumber>\w*?)\""
0 Karma

jw44250
New Member

No result found

0 Karma

kmaron
Motivator

What do you mean no result found? What is the rest of your search?

0 Karma

jw44250
New Member

index=text sourcetype=test | rex field=_raw "serialNumber\":\"(?\w*?)\"" |table serialNumber

0 Karma

jw44250
New Member

it returns empty result. it is in json format.

{serialNumber":"test12836","serviceChannel":"test","countryOfPurchase":"ind",}

0 Karma

kmaron
Motivator

if you use an spath before the rex it should work. (it does for me)

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!