regex splunk log json

leandromatperei · ‎11-08-2021

I need to extract the image name from a field, but I'm not getting it using the rex. Can you help me identify what the error is? When testing regex via website regex101 is functional.

index=teste | rex field=_raw "kubernetes_container_image: (?<container>.*)"

app: teste-app
cluster_account: teste-prod  
kubernetes_container_image: rw-tested-001
app: teste-app2
cluster_account: teste-homolog  
kubernetes_container_image: 1232ds-teste--002
app: teste-app3
cluster_account: teste-prod  
kubernetes_container_image: rwteste-003
app: teste-app4
cluster_account: teste-homolog  
kubernetes_container_image: teste-001
app: teste-app5
cluster_account: teste-prod  
kubernetes_container_image: teste-001
app: teste-app6
cluster_account: teste-homolog  
kubernetes_container_image: teste-001

ITWhisperer · ‎11-08-2021

Your title hints at JSON yet your example is not raw JSON. Try putting the double quotes back in

index=teste  | rex field=_raw "\"kubernetes_container_image\": \"(?<container>.*)\""

regex splunk log json

configuration

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

regex splunk log json

configuration

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions