Solved: How to do Field extraction from Rex?

Sangamesh · ‎08-21-2023

I need to extract the values between >>>>|| || and after the >>>>|| || referring the below sample and output should be like

values between>>>>||1407|| should be temp=1407

values after >>>>||1407|| should be message=[POD CleanUp] File deleted from POD : /dfgd/dfgdfgdfg.dat

Here is the sample log:

{"source":"fdgdfdfg","log":"2023-08-21 04:07:12.400 INFO 42 --- [dfgdf] c.j.t.f.dgf.dfgd.dgf : >>>>||1407|| [POD CleanUp] File deleted from POD : /dfgd/dfgdfgdfg.dat","host":"xx-ret353.svr.gg.fghs.net","tags":["_dateparsefailure"],"@version":"1","Kubernetes.pod":"gkp-xcs-services-black-prd-67986d784-b6c5j","s_sourcetype":"tyu","@timestamp":"2023-08-21T08:07:28.420Z","Kubernetes.namespace":"80578d64606-56-fyt-ty-prod","appId":"1235","app_id":"2345","log_file":"/app/logs/app.log","Kubernetes.node":"sd-1564sw32b0f.svr.us.sdf.net"}

@ITWhisperer

ITWhisperer · ‎08-23-2023

Given that this looks like JSON, you should either already have these fields if you have ingested the log correctly, or you could use spath to extract them. If you want to continue with rex for these fields, try this:

| rex "timestamp\":\"(?<timestamp>[^\"]+)"
| rex "Kubernetes.pod\":\"(?<kubernetes_pod>[^\"]+)"

View solution in original post

ITWhisperer · ‎08-21-2023

This looks like JSON, so assuming you have already extract the log field, try this

| rex field=log ">>>>\|\|(?<temp>[^\|]+)\|\|\s(?<message>.+)"

Sangamesh · ‎08-28-2023

I see couple of logs starting with this log format too <><><><>||1407||

could you please provide the Rex expression with already provided solution @ITWhisperer

Sangamesh · ‎08-29-2023

@ITWhisperer @Will you able to provide the Rex for the below log format too.

<><><><>||1407||

ITWhisperer · ‎08-29-2023

| rex field=log "\<>\<>\<>\<>\|\|(?<temp>[^\|]+)\|\|\s(?<message>.+)"

Sangamesh · ‎08-29-2023

@ITWhisperer @Whatever you provided rex expression is not fetching the values

ITWhisperer · ‎08-29-2023

Please share the complete event which is not working for you (anonymised of course). Please use a code block </> so the formatting and special characters are preserved.

Sangamesh · ‎08-23-2023

How to extract these fields timestamp,kubernetes.pod too along with the below provided solutions

@ITWhisperer

ITWhisperer · ‎08-23-2023

Given that this looks like JSON, you should either already have these fields if you have ingested the log correctly, or you could use spath to extract them. If you want to continue with rex for these fields, try this:

| rex "timestamp\":\"(?<timestamp>[^\"]+)"
| rex "Kubernetes.pod\":\"(?<kubernetes_pod>[^\"]+)"

isoutamo · ‎08-23-2023

Hi

one way to do it use separate rex expressions. Then it's not dependent on order of those values in your log message. If you could be sure that order is always same then you can add all in one or to rex. As you have json (based on your examples) you could also use extract/kv command to extract those fields like json.

...
| rex "timestamp\":\"(?<timestamp>\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d.\d{3}[^\"]+)"
| rex "Kubernetes\.pod\":\"(?<kubernets_pod>[^\"]+)"

r. Ismo

Added missed ) for 1st one.

Sangamesh · ‎08-23-2023

@isoutamo @Whatever you provided solution not extracting the timestamp and Kubernetes.pod

isoutamo · ‎08-23-2023

Based on your example this should works after I fix/add missed ) on timestamp part.

Timestamps https://regex101.com/r/QkHusK/1
Kubernetes.pod https://regex101.com/r/vWFIMe/1

How to do Field extraction from Rex?

rex

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?