Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction not working, need usable rex expression

nkavouris
Path Finder
‎07-17-2024 07:36 AM

I have a search that yields

"message":"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257"

I am trying to extract the bold value associated with fuel, the value can be any number 0-1000 Using the field extractor I have gotten an unusable rex result:  

rex message="^\{"\w+":\d+,"\w+_\w+":"[a-f0-9]+","\w+":"\w+_\w+","\w+_\w+":"\w+","\w+_\w+":"\w+","\w+":\{"\w+":"\w+","\w+":"\w+","\w+":\d+\.\d+,"\w+":\-\d+\.\d+,"\w+":"\w+"\},"\w+_\w+":"\w+","\w+":"\w+::\w+_\w+_\w+:\s+\w+:\s+\d+,\s+\w+:\s+\d+,\s+\w+_\w+:\s+\d+,\s+\w+:\s+\w+,\s+\w+:\s+(?P<fuel_level>\d+)"

When trying to search with this, the next command does not work and my result yields: Invalid search command 'a'

Can someone give me usable rex to get the highlighted number in a field titled 'fuel_level'

Labels (3)
Labels
Preview file
14 KB
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-17-2024 09:10 AM

Please illustrate full message.  The look of the fragment suggest your source is actually JSON, something like

 

{"message":"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257", "foo":"bar"}

 

Is this correct?  Using regex directly on structured data is strongly discouraged as any regex is doomed to be fragile.

If the JSON is raw event, Splunk would have already extracted a field called "message".  Start from this field instead.  This field also is structured as KV pairs.  Use kv aka extract instead of regex.

 

| rename _raw as temp, message as _raw
| kv kvdelim=": " pairdelim=","
| rename _raw as message, temp as _raw
| fields fuel

 

Your sample data would have given

fuel_raw_time
0{"message":"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257", "foo":"bar"}2024-07-17 09:06:35

Here is an emulation for you to play with and compare with real data

 

| makeresults
| eval _raw = "{\"message\":\"journey::cook_client: fan: 0, auger: 0, glow_v: 36, glow: false, fuel: 0, cavity_temp: 257\", \"foo\":\"bar\"}"
| spath
``` data emulation above ```

 

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...