Splunk Search

How to extract a field with rex for a stats search?

atanasmitev
Path Finder

Hello,

I am having trouble getting rex to work. I have the following :

field1 -> { "param1" : { "param1Status" : "Status INFO", ... "stuff not needed"}}

How do I extract the "Status INFO" message ? I tried :

rex field=field1 ".*param1Status: (?<param1_Status>).*" | stats values(param1_Status) 

which shows no errors, but doesn't extract statistics either. Help ?

Tags (2)
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Formatting on here isnt great, ive edited the previous post.. Should be as here also :

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"

View solution in original post

chimell
Motivator
......| rex  "(?i).*?->{ "/\w+\d"/ : { "/\w+\d\w+"/ :"/(?P<status_info>\w+\s\w+)(?="/),..."/\w+\s\w+\s\w+"/}}"| stats count by status_info
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Formatting on here isnt great, ive edited the previous post.. Should be as here also :

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"

atanasmitev
Path Finder

It does the job everywhere else but in my Splunk 🙂 so I will further debug my Splunk instance and accept the answer

0 Karma

atanasmitev
Path Finder

I suppose we are almost there, it's could be an error with escaping slashes
as it states now : "Error in 'SearchParser': Missing a search command before '^'. "

Weird is, according to http://regex101.com/ , the above rex is OK and matches exactly as needed.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

There needs to be an additional " on the end of the rex.. as I am capturing everything in that capture group up to the ".

search .... | rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"" | stats ...

esix_splunk
Splunk Employee
Splunk Employee

If you're wanting to capture 'Status INFO' without quotes, your regex is wrong. Try;

rex field=field1 ".*param1Status"\s:\s\"(?<param1_Status>[^"]+)\"
0 Karma

atanasmitev
Path Finder

This one above returns mismatched "]"

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...