Splunk Search

Help with Regular expression for json

chvenu17
Path Finder

I need regular expression to extract JSON from message field .. Can some one help

After extract i want to parse the extracted json using spath command

 

{ [-]
@timestamp: 2022-04-09T05:50:04.336Z
@version: 1
file: test.log
message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}
name: test
no: 111111111111

}

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This assumes that the message field is immediately followed by name

(?ms)message:.+?(?<json>\{.*\})\s*name

 

0 Karma

chvenu17
Path Finder

Thanks for immediate response

Name is another field

The "message" field contains below sample data ..it just ends with JSON object.

I need to extract json and create new field

 

message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(?ms)message:.+?(?<json>\{.*\})\s*name"
0 Karma

chvenu17
Path Finder

Not getting, just getting empty output

 

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name" |table json
0 Karma

chvenu17
Path Finder

The below rex giving  "{" as output ( the start of json)..Need to tweak to print  to the end

|table message
| rex field=message "Request \#[0-9]+\: (?<json>.+)" |table json

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"
0 Karma

chvenu17
Path Finder

it perfectly worked. What does (?ms) represents here . Can you explain 

 

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

m - means multiline

s - means . will match to new line - this is actually the important one in this instance

| rex field=message "(?s)Request \#[0-9]+\: (?<json>.+)"

This should also work for you. 

0 Karma

chvenu17
Path Finder

Thanks

0 Karma

senthild
Explorer

i have my json data where sometimes we are unable to see the status: closed field in some of the events as i want to write a regex to bring this in event  state: { [-]
     alert_idorca-8452634
     closed_reasonnull
     closed_timenull
     created_at2023-07-06T11:41:18+00:00
     high_sincenull
     in_verificationnull
     is_new_scorenull
     last_seen2024-02-04T11:38:11+00:00
     last_updated2024-02-05T13:45:45+00:00
     low_since2024-02-05T13:45:45+00:00
     orca_score7
     risk_levelhigh
     rule_sourcenull
     score2
     severityimminent compromise
     statusclosed
     status_time2024-02-05T13:45:45+00:00
     verification_statusnull

 

Can anyone help us to close this 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...