Solved: Help with ending search for rex expression

pushpender07 · ‎04-27-2018

Hi All - I am using the below query

index=ABC "XYZ"| rex field=_raw "\"code\":\"(?.*)\"" | stats count by errorcode

This gives me an output like this
SR123","message":"Added Successfully." 2
SR456","message":"Declined." 4

the error code I am trying to extract is SR123 or SR456. How do I ensure the rex command ends errorcode at the 2nd " and only gives count for SR123 and SR456. Please help as I have never used rex field in command. Tried few hit and trial scenarios, didn't work.

somesoni2 · ‎04-27-2018

Give this a try (regex is starting to capture value after code":" till next double quote)

index=ABC "XYZ"| rex field=_raw "\"code\":\"(?<errorcode>[^\"]+)" | stats count by errorcode

View solution in original post

somesoni2 · ‎04-27-2018

Give this a try (regex is starting to capture value after code":" till next double quote)

index=ABC "XYZ"| rex field=_raw "\"code\":\"(?<errorcode>[^\"]+)" | stats count by errorcode

pushpender07 · ‎04-27-2018

Follow up question. If the output of the original query is like below

SR123","message":"Added Successfully.","error":null.

and I would want the output till
SR123","message":"Added Successfully."

Can I do that using rex? This is to help folks know what each message means.

thambisetty · ‎04-28-2018

message will extract after code":" to till last comma in a row.

index=ABC "XYZ"| rex field=_raw "\"code\":\"(?<message>.+),"

————————————
If this helps, give a like below.

pushpender07 · ‎04-27-2018

perfect, it worked. Can you please explain what did you change do logically?

macadminrohit · ‎04-28-2018

also you can use regex101.com , it helps a lot to build the regex.

Help with ending search for rex expression

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!