Re: Help with Rex Commands

splunknewbie81 · ‎08-27-2021

Hi All,

I am having some trouble extracing out the following with the following details

1. username
2. Default Msg
3. Date
4. Time

This is what I have tried and it gives me the username but I am stuck with how to extract the date , time and defaultmsg.

can someone please help me? Thank You so much

Index=xxx-xxx
| rex (?<username>\w+@\w+.\w+)
|table username DefaultMsg Date TIme

Thank You

regards,
Alex

splunknewbie81 · ‎09-01-2021

May I check if I can use eval command to actually filter to stop the data from showing up?

If yes, would anyone please show me how to use eval command?

isoutamo · ‎09-02-2021

Hi
Probably yes, but can you create a new question for that where you give example with data and result what you are meaning. For that way it's easier for community members found this question later on.
r. Ismo

PickleRick · ‎08-27-2021

Why not use spath to extract data from the json part?

isoutamo · ‎08-28-2021

Also spath is one option. But if you have lot of events and those are big then it's good to check what are cost for use it vs pure rex. You could use job inspector for that.
r. Ismo

PickleRick · ‎08-28-2021

You're 100% right - spath does manipulation on a higher level so with bigger amounts of dataraw regex manipulation might indeed be faster. But spath is faster to write and might just be quick enough.

splunknewbie81 · ‎08-27-2021

Hi @PickleRick ,

Would you mind to show me a example if you don't mind?

Thank You

Regards,

Alex

PickleRick · ‎08-27-2021

Sure. First extract the raw json part into a field, then use spath to extract a value from json. Like that:

| rex "(?<jsondata>{.*})" |  spath input=jsondata path="defaultMsg" | spath input=jsondata path="userName"

gcusello · ‎08-27-2021

Hi @splunknewbie81,

Please try this regex

| rex "(?ms)^(?<date>\w+\s\d+)\s+(?<Time>\d+:\d+:\d+).*defaultMsg\":\"(?<defaultMsg>[^\"]+).*userName\":\"(?<userName>[^\"]+)"

that you can test at https://regex101.com/r/EGsp5X/1

If you could share the ssample logs in text format instead image, I could be more precise.

ciao.

Giuseppe

splunknewbie81 · ‎08-27-2021

Hi @gcusello ,

Please find pdf of the text

gcusello · ‎08-27-2021

Hi @splunknewbie81,

OK, I confirm the previous regex.

Ciao.

Giuseppe

P.S.: for the next time, put the logs in the Insert/edit code sample button (the one with </>), it's easier than a pdf.

ITWhisperer · ‎08-27-2021

Try something like this

Index=xxx-xxx 
| rex ^(?<Date>\w+\s\d+)\s(?<Time>\d+:\d+:\d+).+\"defaultMsg\":\s*\"(?<DefaultMsg>[^\"]+)\".+\"userName\":\s*\"(?<username>[^\"]+)\" 
|table username DefaultMsg Date TIme

isoutamo · ‎08-27-2021

Hi

in next time we prefer those events as text, so it's easier to check and create that rex 😉

You could try this:

....
| rex "\"defaultMsg\":\"(?<defaultMsg>[^\"]+)\".*\"userName\":\"(?<userName>[^\"]+)"

https://regex101.com/r/AtrUKE/1 You could test it with this.

Date and time you should get correctly on indexing time. Then you can take those from _time like

....
| eval date = strftime(_time, "%Y-%m-%d"), time = strftime(_time, "%H:%M:%S")
| eval dispDateTime = strftime(_time, "%b %d %H:%M:%s")

r. Ismo

Help with Rex Commands

field extraction

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!