Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve "Message":"###1234$$$ Invalid" result with rex?

wvsgo215
Engager
‎11-10-2022 11:03 PM

splunk data: 2022-01-01T02:06:12.182Z 7c3edf29-c081-4cca-ae9b-0f79ef7d1c8d INFO {"InfoLogInformation":{"MethodName":"index.handler","Message":""Processing completed"","LogType":"Info","Error":"2022-01-01T02:06:12.040Z::400 - {"ResponseStatus":{"ErrorCode":"WorkBookMessageException","Message":"###1234$$$ Invalid." 

query: | rex ",\"Message\":\"\"(?<Message>.*?)\"\""
| rex "\"Exception\":\"400 - {\"ResponseStatus\":{\"ErrorCode\":\"(?<ErrorCode>.*?)\",\"Message\":\"(?<Message>.*?)\""

query result: Message = Processing completed  

I want the result should the Message":"###1234$$$ Invalid.

please help. TIA

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-11-2022 02:09 AM

@wvsgo215 Are you sure the illustrated data is complete and in original format?  I speculate that the original format could be something like

2022-01-01T02:06:12.182Z 7c3edf29-c081-4cca-ae9b-0f79ef7d1c8d INFO {"InfoLogInformation":{"MethodName":"index.handler","Message":"Processing completed","LogType":"Info"},"Error":"2022-01-01T02:06:12.040Z::400 - {'ResponseStatus':{'ErrorCode':'WorkBookMessageException','Message':'###1234$$$ Invalid.'}}"}

If the data is structured, use rex to extract the JSON object, then spath to extract from JSON.  If the log format is like the above, use

 

| rex " INFO (?<info_json>{.+)"
| spath input=info_json path=Error
| eval error_json = replace(Error, "^[^{]*", "")
| eval error_json = replace(error_json, "'", "\"") ``` JSON uses double quote ```
| spath input=error_json

 

You get

ResponseStatus.ErrorCodeResponseStatus.Messageerror_jsonError
WorkBookMessageException###1234$$$ Invalid.{"ResponseStatus":{"ErrorCode":"WorkBookMessageException","Message":"###1234$$$ Invalid."}}2022-01-01T02:06:12.040Z::400 - {'ResponseStatus':{'ErrorCode':'WorkBookMessageException','Message':'###1234$$$ Invalid.'}}

SPL's builtin function is much more robust at handling structured data like JSON.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-10-2022 11:30 PM

Hi @wvsgo215,

please try this regex:

| rex "\"Message\":\"(?<message>[^\"]*?)\"\s"

that you can test at https://regex101.com/r/jdWRO8/1

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...