Splunk Search

Field extraction using regex

dinesh001kumar
Engager

 Hi All,

Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below.

Sample Log1:

\\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{},

Sample Log2:

4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\"

It might be smart to look into the ingestion process and try to optimize it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I agree with @PickleRick but sometimes this can be gotten around by reparsing fields with spath, but we can't tell this without seeing the full event.

0 Karma

Thulasinathan_M
Contributor

You can try something like below in rex command

channel[^A-Za-z]+(?<channel_type>[^\\]+)

 

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...