regex splunk log json

leandromatperei · ‎11-08-2021

I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional.

index=teste | rex field=_raw "kubernetes_container_image: (?<container>.*)"

app: teste-app
cluster_account: teste-prod  
kubernetes_container_image: rw-tested-001
app: teste-app2
cluster_account: teste-homolog  
kubernetes_container_image: 1232ds-teste--002
app: teste-app3
cluster_account: teste-prod  
kubernetes_container_image: rwteste-003
app: teste-app4
cluster_account: teste-homolog  
kubernetes_container_image: teste-001
app: teste-app5
cluster_account: teste-prod  
kubernetes_container_image: teste-001
app: teste-app6
cluster_account: teste-homolog  
kubernetes_container_image: teste-001

ITWhisperer · ‎11-08-2021

Your title hints at JSON yet your example is not raw JSON. Try putting the double quotes back in

index=teste  | rex field=_raw "\"kubernetes_container_image\": \"(?<container>.*)\""

regex splunk log json

configuration

using Splunk Enterprise

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

regex splunk log json

configuration

using Splunk Enterprise

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I