Here is the message in splunk and I am trying to extract customer and channel
{"line":"2020-04-03T12:24:54.589Z LCS {\"customer\":5,\"channel\":\"sqs\",\"notificationId\":213546}
When I run something like this
index=docker "Exception" | rex "CustomerID: (?<customer>\S+)," | rex "channelName\\\\\":\\\\\"(?<channel>\w+)" | stats count(notificationId) by CustomerID
I am able to see the CustomerID extracted
but when I do
index=docker "Exception" | rex "CustomerID: (?<customer>\S+)," | rex "channelName\\\\\":\\\\\"(?<channel>\w+)" | stats count(notificationId) by CustomerID, channelName
It is not displaying any results which tells me I am not extracting the channelName correctly. How can I fix this ?
Your data has channel
but your RegEx
has channelName
so try this:
... | rex "channel\\\\\":\\\\\"(?<channel>\w+)"
Your data has channel
but your RegEx
has channelName
so try this:
... | rex "channel\\\\\":\\\\\"(?<channel>\w+)"
Nobody likes backslashes!
| makeresults
| eval _raw="{\"line\":\"2020-04-03T12:24:54.589Z LCS {\\\"customer\\\":5,\\\"channel\\\":\\\"sqs\\\",\\\"notificationId\\\":213546}"
| rex "customer\\\\\":(?<customer>[^,]+),\\\\\"channel\\\\\":\\\\\"(?<channel>[^\\\]+)\\\\\""
Neither of your regular expressions match the example data. There is no "CustomerID:" string and no "channelName" string. Please verify the data so we can help you.
Escaping of '\' is unintuitive in rex
. Experiment with the number of \\
used to get the desired results.
Never mind. I was looking at the wrong values. Thanks for pointing it out.