Splunk Search

How to extract name of the job from the raw text?

Renunaren
Loves-to-Learn Everything

Hi Team,

Below is the raw text that has been received into our splunk portal. It has a field called name of the job.

{"timestamp": "2023-03-29T04:57:07.366881Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\"    \\\"total\\\": 236\",\"2\":\"    \\\"statuses\\\": [\",\"3\":\"        {\",\"4\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"5\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"6\":\"            \\\"count\\\": 0\",\"7\":\"            \\\"name\\\": \\\"BHW_T8841_ANTRAG_RDV\\\"\",\"8\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvp\\\"\",\"9\":\"        }\",\"10\":\"        {\",\"11\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"12\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"13\":\"            \\\"count\\\": 0\",\"14\":\"            \\\"name\\\": \\\"BHW_T8009_DATEN_EBIS_RDV\\\"\",\"15\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvi\\\"\",\"16\":\"        }\",\"17\":\"        {\",\"18\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"19\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"20\":\"            \\\"count\\\": 0\",\"21\":\"            \\\"name\\\": \\\"BHW_T5895_AZV_DATEN_RDV\\\"\",\"22\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvd\\\"\",\"23\":\"        }\",\"24\":\"        {\",\"25\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"26\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"27\":\"            \\\"count\\\": 0\",\"28\":\"            \\\"name\\\": \\\"BHW_T5829_SONDERTILGUNG_RDV\\\"\",\"29\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv9\\\"\",\"30\":\"        }\",\"31\":\"        {\",\"32\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"33\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"34\":\"            \\\"count\\\": 0\",\"35\":\"            \\\"name\\\": \\\"BHW_T5152_PROLO_ZINSEN_RDV\\\"\",\"36\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv6\\\"\",\"37\":\"        }\",\"38\":\"        {\",\"39\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"40\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"41\":\"            \\\"count\\\": 0\",\"42\":\"            \\\"name\\\": \\\"BHW_T5149_PROLO_KOND_RDV\\\"\",\"43\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv1\\\"\",\"44\":\"        }\",\"45\":\"        {\",\"46\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"47\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"48\":\"            \\\"count\\\": 0\",\"49\":\"            \\\"name\\\": \\\"BHW_T5144_ZUT_SALDEN_RDV\\\"\",\"50\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqux\\\"\",\"51\":\"        }\",\"52\":\"        {\",\"53\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"54\":\"              

 

We need to separate the text after \\\"name\\\":\\\"**********\\\.

 

We need to separate the ***** text .

Please  

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "\\\\\\\\\\\\\"name\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?<name>[^\\\]+)"
0 Karma

Renunaren
Loves-to-Learn Everything

Also can you please help me on how to add the extracted name as a column in a tabular view in the splunk dashboard

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what you are asking for here - you already have a field (column) called name extracted by the rex command. It is a multivalue-field. Do you just need it as separate events (rows) in a table?

| table name
| mvexpand name
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...