Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex splunk log json

leandromatperei
Path Finder
‎11-08-2021 06:51 AM

I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional.

index=teste  | rex field=_raw "kubernetes_container_image: (?<container>.*)"

 

app: teste-app
cluster_account: teste-prod  
kubernetes_container_image: rw-tested-001
app: teste-app2
cluster_account: teste-homolog  
kubernetes_container_image: 1232ds-teste--002
app: teste-app3
cluster_account: teste-prod  
kubernetes_container_image: rwteste-003
app: teste-app4
cluster_account: teste-homolog  
kubernetes_container_image: teste-001
app: teste-app5
cluster_account: teste-prod  
kubernetes_container_image: teste-001
app: teste-app6
cluster_account: teste-homolog  
kubernetes_container_image: teste-001

 

 

Labels (2)
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2021 07:36 AM

Your title hints at JSON yet your example is not raw JSON. Try putting the double quotes back in

index=teste  | rex field=_raw "\"kubernetes_container_image\": \"(?<container>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!