Splunk Search

Help with Regular expression for json

chvenu17
Path Finder

I need regular expression to extract JSON from message field .. Can some one help

After extract i want to parse the extracted json using spath command

 

{ [-]
@timestamp: 2022-04-09T05:50:04.336Z
@version: 1
file: test.log
message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}
name: test
no: 111111111111

}

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This assumes that the message field is immediately followed by name

(?ms)message:.+?(?<json>\{.*\})\s*name

 

0 Karma

chvenu17
Path Finder

Thanks for immediate response

Name is another field

The "message" field contains below sample data ..it just ends with JSON object.

I need to extract json and create new field

 

message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(?ms)message:.+?(?<json>\{.*\})\s*name"
0 Karma

chvenu17
Path Finder

Not getting, just getting empty output

 

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name" |table json
0 Karma

chvenu17
Path Finder

The below rex giving  "{" as output ( the start of json)..Need to tweak to print  to the end

|table message
| rex field=message "Request \#[0-9]+\: (?<json>.+)" |table json

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"
0 Karma

chvenu17
Path Finder

it perfectly worked. What does (?ms) represents here . Can you explain 

 

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

m - means multiline

s - means . will match to new line - this is actually the important one in this instance

| rex field=message "(?s)Request \#[0-9]+\: (?<json>.+)"

This should also work for you. 

0 Karma

chvenu17
Path Finder

Thanks

0 Karma

senthild
Explorer

i have my json data where sometimes we are unable to see the status: closed field in some of the events as i want to write a regex to bring this in event  state: { [-]
     alert_idorca-8452634
     closed_reasonnull
     closed_timenull
     created_at2023-07-06T11:41:18+00:00
     high_sincenull
     in_verificationnull
     is_new_scorenull
     last_seen2024-02-04T11:38:11+00:00
     last_updated2024-02-05T13:45:45+00:00
     low_since2024-02-05T13:45:45+00:00
     orca_score7
     risk_levelhigh
     rule_sourcenull
     score2
     severityimminent compromise
     statusclosed
     status_time2024-02-05T13:45:45+00:00
     verification_statusnull

 

Can anyone help us to close this 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...