Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract user field from log?

user9025
Path Finder
‎10-15-2022 12:04 AM

I have a log which looks like follow:

 

Request received :: Id assigned. --- Id=1,  BODY={"userIds":["11"],"email":"test@test.com,"Client":"Test"}

 

The userids will always contains one element in the list surrounded by square brackets. So from above request I want to get 11. I am using rex to extract userID but seems that its not working.

 

index=prod-* sourcetype="kube:service"  "Request received " | rex field=_raw "userIds\":\[\"(?<user_id>\d+)\"" |table user_id

 

But table is getting printed empty

Labels (1)
Labels
Tags (1)
0 Karma
Reply

user9025
Path Finder
‎10-15-2022 08:51 AM

do we need to extract json variable BODY first from logs and then do it?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-15-2022 09:26 PM

In a way yes, because you should not try to manage structured data like JSON using pure text manipulation like rex.  On the other hand, if your data source is configured normally, you should already have a field named BODY. If not, you can use kv aka extract.

Once you verify that BODY is extracted, use spath to extract structured fields.

 

| spath input=BODY

 

0 Karma
Reply

user9025
Path Finder
‎10-15-2022 08:44 AM

the events shared are reals, with some fields obfuscated, I am able to extract events, but putting them in table is coming up empty

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2022 01:14 AM

There doesn't appear to be anything wrong with what you are doing given the example you have shared. Perhaps the example doesn't accurately represent your actual data? Can you share some obfuscated real events?

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top