Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex splunk log json

leandromatperei
Path Finder
‎11-08-2021 06:51 AM

I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional.

index=teste  | rex field=_raw "kubernetes_container_image: (?<container>.*)"

 

app: teste-app
cluster_account: teste-prod  
kubernetes_container_image: rw-tested-001
app: teste-app2
cluster_account: teste-homolog  
kubernetes_container_image: 1232ds-teste--002
app: teste-app3
cluster_account: teste-prod  
kubernetes_container_image: rwteste-003
app: teste-app4
cluster_account: teste-homolog  
kubernetes_container_image: teste-001
app: teste-app5
cluster_account: teste-prod  
kubernetes_container_image: teste-001
app: teste-app6
cluster_account: teste-homolog  
kubernetes_container_image: teste-001

 

 

Labels (2)
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2021 07:36 AM

Your title hints at JSON yet your example is not raw JSON. Try putting the double quotes back in

index=teste  | rex field=_raw "\"kubernetes_container_image\": \"(?<container>.*)\""
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...