Please find the sample entries of two log messages given below. I want a search condition to select a report with the value "reportReferenceNumber" : 0
Please help?
"report" : {
"reportReferenceNumber" : 0,
"report" : {
"venue" : {
"locationId" :2,
"landmark" : "opp to station",
..
}
}
"report" : {
"reportReferenceNumber" : 1323,
"report" : {
"venue" : {
"locationId" :2,
"landmark" : "opp to station",
..
}
}
You should be able to use the regex command to filter on events that match a criteria. What does your base search look like? Is that full log entry one event in your env? Something like this should work, but if none of these suggestions are working for you, then we may need a little more context...
[your base search] | regex "\"reportReferenceNumber\" : 0," | [stuff to do with the results]
Somesoni2's answer should have worked. Try this:
... | rex "reportReferenceNumber\"\s:\s(?P<report_reference_number>\d+)" | search report_reference_number=0 | ...
It works with your sample logs in regex101.com.
When I use your query I am getting "unbalanced query" error. but when I try using query below, No response again.
rex "\"crimeReferenceNumber\"\s:\s(?P\d+)" | search crime_reference_number=0
I left out an escape character. Please try my updated answer.
You can also filter without the field extraction
index=foo sourcetype=bar "\"reportReferenceNumber\" : 0" | rest of the search ....
sorry for the delayed response. your suggestion not working. Getting "No record" found error
... | rex (?m) reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W | search REPORT_REFERENCE_NUMBER = 0
You can extract the number into a field and filter on it
Sorry for the delayed response. Your suggestion not working.
Getting the following error. I used exactly as you described.
⚠Error in 'rex' command: The regex '(?m)' does not extract anything. It should specify at least one named group. Format: (?...).
The rex
command argument needs to be in quotation marks.
... | rex "(?m)reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W" |...
No result apearing when I combine your suggestion (richgalloway) with search REPORT_REFERENCE_NUMBER= 0
when I remove search REPORT_REFERENCE_NUMBER= 0, I am getting too many result.