Hello,
I am having trouble getting rex to work. I have the following :
field1 -> { "param1" : { "param1Status" : "Status INFO", ... "stuff not needed"}}
How do I extract the "Status INFO" message ? I tried :
rex field=field1 ".*param1Status: (?<param1_Status>).*" | stats values(param1_Status)
which shows no errors, but doesn't extract statistics either. Help ?
Formatting on here isnt great, ive edited the previous post.. Should be as here also :
rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
......| rex "(?i).*?->{ "/\w+\d"/ : { "/\w+\d\w+"/ :"/(?P<status_info>\w+\s\w+)(?="/),..."/\w+\s\w+\s\w+"/}}"| stats count by status_info
Formatting on here isnt great, ive edited the previous post.. Should be as here also :
rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
It does the job everywhere else but in my Splunk 🙂 so I will further debug my Splunk instance and accept the answer
I suppose we are almost there, it's could be an error with escaping slashes
as it states now : "Error in 'SearchParser': Missing a search command before '^'. "
Weird is, according to http://regex101.com/ , the above rex is OK and matches exactly as needed.
There needs to be an additional " on the end of the rex.. as I am capturing everything in that capture group up to the ".
search .... | rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"" | stats ...
If you're wanting to capture 'Status INFO' without quotes, your regex is wrong. Try;
rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
This one above returns mismatched "]"