Solved: Re: How to choose only some values extracted from ...

guillecasco · ‎01-23-2017

Hey, i have this rex command which extract me some fields as json data from a lot of logs

| rex field=summary "BODY: (?\{.*)"

logs

BODY: {"shared": {"System.ProcessorName": "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz", "System.Manufacturer": "GIGABYTE",  "Graphics.PCReleaseMajor": "15",  "OS.Arch": "64",, "a_data": [{"version": "9.1.4", "id": "7c965dd7-28f6-4e79-8a9c-a5d85425c371"}, {"version": "25678", "id": "8c177884-6479-48ec-8634-1243bd9c9206"}]}

so in the interesting fields i have (among others): shared.system.processorname, shared.system.manufacturer.....and so on.
Thing is that in a_data.version i have 2 types of version in logs but that are named the same (a_data.version). How can i choose/select only the second one? a. i need to only have: a_data.version: 25678 and not a_data.version: 9.1.4

is there a way to do this or not? when i'm doing stats count by version i get all versions, but only need last version and not the first one. is there a way to "name" them differently or something like that?

this is the search.

index: foo | rex field=summary "BODY: (?\{.*)" | spath input=json_data |  stats count by adata{}.version | sort -count

Thanks!

DalJeanis · ‎01-23-2017

There seems to be an extra comma in the data you posted, so that nothing extracts after OS.Arch.

| makeresults 
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\",, \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data

Test data with extra comma removed

| makeresults count=2
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\", \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data
| rename shared.a_data{}.version as version, shared.a_data{}.id as id 
| eval version = mvindex(version,-1) 
| eval id = mvindex(id,-1) 
| stats count by version

View solution in original post

DalJeanis · ‎01-23-2017

There seems to be an extra comma in the data you posted, so that nothing extracts after OS.Arch.

| makeresults 
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\",, \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data

Test data with extra comma removed

| makeresults count=2
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\", \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data
| rename shared.a_data{}.version as version, shared.a_data{}.id as id 
| eval version = mvindex(version,-1) 
| eval id = mvindex(id,-1) 
| stats count by version

guillecasco · ‎01-23-2017

awesome! that worked

DalJeanis · ‎01-23-2017

Great! Glad to help.

somesoni2 · ‎01-23-2017

Try like this (check the rex command as it was truncated in ques)

index: foo | rex field=summary "BODY: (?{.*)" | spath input=json_data | eval version=mvindex('adata{}.version',-1) | stats count by version | sort -count

guillecasco · ‎01-23-2017

getting this error with that command which i think would work. the -1 only takes last value doesn´t it?

"Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression"

DalJeanis · ‎01-23-2017

the field name was omitted by the web interface from somesoni2's code

rex field=summary "BODY: (?<json_data>{.*)"

gcusello · ‎01-23-2017

Hi guillecasco,
there are many things that you could to do:

format your rex as you prefer (e.g.: \d+);
if you have numbers choose the highest between them;
put a second filter in your search

Bye.
Giuseppe

guillecasco · ‎01-23-2017

how would it be a second filter. If i put another filter i will still apply to version either the first or the second one.
also, what do you mean with "if you have numbers choose the highest between them; "

How to choose only some values extracted from rex command

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?