Re: Extract user field from log

user9025 · ‎10-15-2022

I have a log which looks like follow:

Request received :: Id assigned. --- Id=1,  BODY={"userIds":["11"],"email":"test@test.com,"Client":"Test"}

The userids will always contains one element in the list surrounded by square brackets. So from above request I want to get 11. I am using rex to extract userID but seems that its not working.

index=prod-* sourcetype="kube:service"  "Request received " | rex field=_raw "userIds\":\[\"(?<user_id>\d+)\"" |table user_id

But table is getting printed empty

user9025 · ‎10-15-2022

do we need to extract json variable BODY first from logs and then do it?

yuanliu · ‎10-15-2022

In a way yes, because you should not try to manage structured data like JSON using pure text manipulation like rex. On the other hand, if your data source is configured normally, you should already have a field named BODY. If not, you can use kv aka extract.

Once you verify that BODY is extracted, use spath to extract structured fields.

| spath input=BODY

user9025 · ‎10-15-2022

the events shared are reals, with some fields obfuscated, I am able to extract events, but putting them in table is coming up empty

ITWhisperer · ‎10-15-2022

There doesn't appear to be anything wrong with what you are doing given the example you have shared. Perhaps the example doesn't accurately represent your actual data? Can you share some obfuscated real events?

Extract user field from log?

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation