Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field with rex for a stats search?

atanasmitev
Path Finder
‎10-16-2014 05:01 PM

Hello,

I am having trouble getting rex to work. I have the following :

field1 -> { "param1" : { "param1Status" : "Status INFO", ... "stuff not needed"}}

How do I extract the "Status INFO" message ? I tried : 

rex field=field1 ".*param1Status: (?<param1_Status>).*" | stats values(param1_Status)

which shows no errors, but doesn't extract statistics either. Help ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-16-2014 06:20 PM

Formatting on here isnt great, ive edited the previous post.. Should be as here also :

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎12-12-2014 04:16 AM 
......| rex  "(?i).*?->{ "/\w+\d"/ : { "/\w+\d\w+"/ :"/(?P<status_info>\w+\s\w+)(?="/),..."/\w+\s\w+\s\w+"/}}"| stats count by status_info
0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-16-2014 06:20 PM

Formatting on here isnt great, ive edited the previous post.. Should be as here also :

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
Reply
Solved! Jump to solution

atanasmitev
Path Finder
‎10-17-2014 09:06 AM

It does the job everywhere else but in my Splunk 🙂 so I will further debug my Splunk instance and accept the answer

0 Karma
Reply
Solved! Jump to solution

atanasmitev
Path Finder
‎10-16-2014 06:24 PM

I suppose we are almost there, it's could be an error with escaping slashes
as it states now : "Error in 'SearchParser': Missing a search command before '^'. "

Weird is, according to http://regex101.com/ , the above rex is OK and matches exactly as needed.

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-16-2014 07:39 PM

There needs to be an additional " on the end of the rex.. as I am capturing everything in that capture group up to the ".

search .... | rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"" | stats ...
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-16-2014 05:36 PM

If you're wanting to capture 'Status INFO' without quotes, your regex is wrong. Try;

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
0 Karma
Reply
Solved! Jump to solution

atanasmitev
Path Finder
‎10-16-2014 06:14 PM

This one above returns mismatched "]"

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...