serialNumber":"test1234","serviceChannel":"test","countryOfPurchase":"US",
serialNumber":"test1294","serviceChannel":"test","countryOfPurchase":"ind",
serialNumber":"test12836","serviceChannel":"test","countryOfPurchase":"ind",
serialNumber":"test125","serviceChannel":"test","countryOfPurchase":"chi",
how filter
serialNumber":"test1234"
using row in splunk
i have tried : but dint work
rex field=_raw "(?serialNumber.*)"
Hello,
If you try this:
| makeresults | eval _raw="\"serialNumber\":\"test1234\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"US\""
| rex field=_raw "\"serialNumber\":\"(?<serialNumber>\w*)"
| table serialNumber
In any case you can use Field Extractor UI
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ExtractfieldsinteractivelywithIFX
hello,
I am sure the answer given by @niketnilay should work but if you are looking to just extract serialNumber then you can go with the following query:
Try this run anywhere search
| makeresults
| eval _raw="{\"serialNumber\":\"test12836\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"ind\"}"
| rex "serialNumber\":\"(?<serialNumber>[^\"]+)"
In your environment, you should try
<base query> | rex "serialNumber\":\"(?<serialNumber>[^\"]+)"
let me know if this helps!
I want to run Ad hac command.
@jw44250, does the raw event contain only xml data? If so, you can set KV_MODE=JSON
in your props.conf. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#Alternatives_to_the_spath_c....
Also would it be possible for you to add complete JSON with sample/mocked up data? Are there multiple serialNumbers in single JSON or is there one serial number per JSON as in example from the question?
You should explore the spath command for traversing JSON Data. Following is a run anywhere search based on one of them:
| makeresults
| eval _raw="{\"serialNumber\":\"test12836\",\"serviceChannel\":\"test\",\"countryOfPurchase\":\"ind\"}"
| spath
My json: searchBase | spath output=myfield path=test |table myfield
The above query should work but not working..
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 134
},
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 139
}
@jw44250, the JSON you have posted seems to be having incorrect structure (only first part can be traversed, Validate with any JSON Editor):
| makeresults
| eval _raw="{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 134
},
{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 139
}"
| spath
Following is the correct structure for JSON
| makeresults
| eval _raw="{
\"test1\":{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
},
\"test\": 134
},
\"test2\":{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
},
\"test\": 139
}
}"
| spath
If rectifying the JSON is out of question, you should use rex
to extract required field based on Regular Expression.
When u have json and text together it ownt work
This is my json from server .....
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 134
},
{
"foo" : {
"bar" : [
{"zoo" : 1},
{"baz" : 2}
]
}
"test": 139
}
Can you try the following rex if you need to extract the multi-valued test
field | rex "\"test\"\:\s(?<test>\d+)" max_match=0
| makeresults
| eval _raw="{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 134
},
{
\"foo\" : {
\"bar\" : [
{\"zoo\" : 1},
{\"baz\" : 2}
]
}
\"test\": 139
}"
| rex "\"test\"\:\s(?<test>\d+)" max_match=0
Hey jw44250,
Try using this:
| rex field=_raw "serialNumber\"\:\"(?P<SerialNumber>[^\"]+)\""
Let me know if this helps!!
Getting this below error
Error in 'rex' command: Encountered the following error while compiling the regex 'serialNumber":"(?P[^"]+)"': Regex: unrecognized character after (?P
I have edited my answer... can u try now?
Try this:
| rex field=_raw "serialNumber\":\"(?<serialNumber>\w*?)\""
No result found
What do you mean no result found? What is the rest of your search?
index=text sourcetype=test | rex field=_raw "serialNumber\":\"(?\w*?)\"" |table serialNumber
it returns empty result. it is in json format.
{serialNumber":"test12836","serviceChannel":"test","countryOfPurchase":"ind",}
if you use an spath before the rex it should work. (it does for me)