Splunk Search

How do I edit my rex syntax to extract the value from my data for a particular field?

New Member

Hi all,

I am trying to extract the value for node_name (`10.205.138.245_151027113757) in this case.
My rex expression isn't working which is:

rex field=_raw "\"node_name\".*\":\"(?<field_name>.{26})\""

Here is my data:

{"cookbook_name":"007_JavaMSP_Apache_Admintool_Installation"},"initial_state":{"checksum":null,"owner":null,"group":null,"mode":null},"resource_id":"/prod/msp/checksum/007_JavaMSP_ApacheAdminTool_Installation.install_apache_admintool.checksum.current","resource_name":"/prod/msp/checksum/007_JavaMSP_ApacheAdminTool_Installation.install_apache_admintool.checksum.current","resource_result":"create","resource_type":"file","message_type":"run_resource","message_version":"0.1.0","sequence_number":11,"run":{"start_time":"2015-10-27T20:57:57Z","run_id":"e2a2c337-b8fc-4ef5-adf4-d00f64f2bcce","node_name":"10.205.138.245_151027113757",}
0 Karma

SplunkTrust
SplunkTrust

If you have to parse JSON using regular expressions, try this:

... | rex "\"node_name\"\s*:\s*\"(?<node_name>[^\"]+)\""

Consider using spath for inline JSON parsing or KV_MODE=json for configured search-time JSON parsing or INDEXED_EXTRACTIONS=json for index-time JSON parsing.

0 Karma