Splunk Search

Help with Regular expression for json

chvenu17
Explorer

I need regular expression to extract JSON from message field .. Can some one help

After extract i want to parse the extracted json using spath command

 

{ [-]
@timestamp: 2022-04-09T05:50:04.336Z
@version: 1
file: test.log
message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}
name: test
no: 111111111111

}

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This assumes that the message field is immediately followed by name

(?ms)message:.+?(?<json>\{.*\})\s*name

 

0 Karma

chvenu17
Explorer

Thanks for immediate response

Name is another field

The "message" field contains below sample data ..it just ends with JSON object.

I need to extract json and create new field

 

message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(?ms)message:.+?(?<json>\{.*\})\s*name"
0 Karma

chvenu17
Explorer

Not getting, just getting empty output

 

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name" |table json
0 Karma

chvenu17
Explorer

The below rex giving  "{" as output ( the start of json)..Need to tweak to print  to the end

|table message
| rex field=message "Request \#[0-9]+\: (?<json>.+)" |table json

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with the ms flags so that . will match across new lines

| rex field=message "(?ms)Request \#[0-9]+\: (?<json>.+)"
0 Karma

chvenu17
Explorer

it perfectly worked. What does (?ms) represents here . Can you explain 

 

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

m - means multiline

s - means . will match to new line - this is actually the important one in this instance

| rex field=message "(?s)Request \#[0-9]+\: (?<json>.+)"

This should also work for you. 

0 Karma

chvenu17
Explorer

Thanks

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...