Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the request type and instanceId fields values?

Sangamesh
Explorer
‎06-18-2023 11:36 PM

{"log":"{\\"instanceId\\":\\"abc-fdh-48f-4432\\",\\"requestType\\":\\"ABC\\"}

Using the above sample log, how to extract the request type and instanceId fields values?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-21-2023 05:12 AM 
| rex "\"(requestId|RequestID\\\+)\":[^\"]*\"(?<requestId>[^\"\\\]+)"
| rex "\"(requestType|RequestType\\\+)\":[^\"]*\"(?<requestType>[^\"\\\]+)"
| rex "\"(message|message\\\+)\":[^\"]*\"(?<message>[^\"\\\]+)"
| rex "\"(http\.endpoint|http\.endpoint\\\+)\":[^\"]*\"(?<httpEndpoint>[^\"\\\]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-19-2023 12:28 AM

This is part of a JSON object.  If the raw event is also JSON, you should have a field named "log".   Is this correct?

You don't need rex to extract requestType.  The best way to extract structured data is spath

 

 

| spath input=log

 

 

Your sample data should give you

instanceIdlogrequestType
abc-fdh-48f-4432{"instanceId":"abc-fdh-48f-4432","requestType":"ABC"}ABC

If for some reason log is not available as a field, you should extract the full JSON object that contains "log" as a key, extract that JSON with spath, then extract fields contained in log using spath. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Sangamesh
Explorer
‎06-19-2023 12:37 AM

log is not available as a field. Solution didn't work 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-20-2023 12:55 AM

Can you share some raw data (anonymize as needed)?  Clearly "log" is one node in a larger JSON object.  You should try to reach that object and work down the structure rather than trying to treat structured data as string.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-20-2023 01:21 AM

@yuanliu How many times do we have to ask for sample data? I may consider boycotting questions without suitable data 😀

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2023 11:55 PM 
| foreach instanceId requestType
    [| rex "<<FIELD>>[^\"]+\"[^\"]+\"(?<<<FIELD>>>[^\\\]+)"]
Reply
Solved! Jump to solution

Sangamesh
Explorer
‎06-19-2023 12:32 AM

@ITWhisperer  Could you please provide brief explanation about this regex 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2023 12:44 AM

The regex matches to the anchor, skips over the double quotes to get to the field contents and extracts the contents up to the next backslash (which is delimiting the contents in your example).

0 Karma
Reply
Solved! Jump to solution

Sangamesh
Explorer
‎06-21-2023 04:28 AM

Here is the sample _raw from the splunk but it has 2 different format log 1 format without double backslash(\\) and other one with double backslash(\\).How do I extract requestId,requestType,message,endpoint ?

{"host":"xx-1345a0196e.svr.am.abcde.net","app_id":"4324","source":"fstatabd","@version":"1",
"log":"{"timestamp":"2023-06-20T15:58:20.505Z","logger":"com.abcde.abcservices.service.ghstreamService",
"instanceId":"abc-atments-service-green-55dbdb5859-75vkl","namespace":"80458d64606-ct-abc-gkp-test",
"platform":"GKP","message":"Received xyz Callback Response for RequestId: 1436, Status code : 200 OK,
Response Payload : Successfully received the response","level":"INFO","traceId":"6491cc9c8bb8f102fafe7b07de24a457",
"spanId":"fafe7b07de24a457","remote-host":"123.027.16.57","protocol":"HTTP/1.1",
"http.endpoint":"GET /ament/p2CallBack","requestType":"RRR","requestId":"1436"}",
"s_sourcetype":"rost","tags":["_dateparsefailure"],
"Kubernetes.node":"xx-1535a0196e.svr.am.abcde.net","appId":"4324","@timestamp":"2023-06-20T15:58:31.263Z"}

{"log":"{\\"timestamp\\":\\"2023-06-21T07:45:54.528Z\\",\\"logger\\":\\"com.csa.fsces.service.3Service\\",
\\"instanceId\\":\\"unw-sthrage-service-green-58694cdbb8-smbjj\\",\\"namespace\\":\\"4248-ct-xrw-gkp-dev\\",
\\"platform\\":\\"GKP\\",\\"message\\":\\"Entity name: NDAN_POSITION_VUE,
Record type: NR, Request Id: 100185, Infdund context: 485640257604\\",
\\"level\\":\\"INFO\\",\\"traceId\\":\\"6492aa2326285332f853f16e2a49fd50\\",
\\"spanId\\":\\"9dc079cc5ef24811\\",\\"remote-host\\":\\"123.456.125.09\\",
\\"protocol\\":\\"HTTP/1.1\\",\\"http.endpoint\\":\\"POST /storage/e3/createfile/\\",
\\"RequestID\\":\\"143185\\",\\"user-agent\\":\\"Java/17.0.7\\",\\"RequestType\\":\\"TR\\"}",
"Kubernetes.node":"hh-10feb4b660.svr.us.sj.net","appId":"5352","hostname":"gg-10geb4b660.svr.us.sj.net"}

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-10-2023 11:34 PM

Again, if your developer has done their homework, they would have written conformant JSON, meaning that you can have more robust field extraction using simpler commands, like this:

| spath input=log ``` 1st format should have log.requestType as a field
  2nd format's log field is a string containing escaped JSON containing a node RequestType ```
| eval RequestType = coalesce(RequestType, 'log.requestType')

There are some strange errors in the samples you cited.  If they are actual errors, you should ask your developer to fix them. 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-21-2023 05:12 AM 
| rex "\"(requestId|RequestID\\\+)\":[^\"]*\"(?<requestId>[^\"\\\]+)"
| rex "\"(requestType|RequestType\\\+)\":[^\"]*\"(?<requestType>[^\"\\\]+)"
| rex "\"(message|message\\\+)\":[^\"]*\"(?<message>[^\"\\\]+)"
| rex "\"(http\.endpoint|http\.endpoint\\\+)\":[^\"]*\"(?<httpEndpoint>[^\"\\\]+)"
0 Karma
Reply
Solved! Jump to solution

Sangamesh
Explorer
‎07-10-2023 12:54 AM

@ITWhisperer  How to extract RequestID,http.endpoint,message,RequestType from these below mentioned different types logs

{"@version":"1","tags":["_dateparsefailure"],"host":"wh-45sg.svr.us.xyz.net","s_sourcetype":"godn","log":"{\"timestamp\":\"2023-06-21T07:45:54.528Z\",\"logger\":\"com.csa.fsces.service.3Service\",
\"instanceId\":\"unw-sthrage-service-green-58694cdbb8-smbjj\",\"namespace\":\"4248-ct-xrw-gkp-dev\",
\"platform\":\"GKP\\",\"message\":\"Entity name: NDAN_POSITION_VUE,Record type: NR, Request Id: 100185, Infdund context: 485640257604\",
\"level\":\"INFO\",\"traceId\":\"6492aa2326285332f853f16e2a49fd50\",
\"spanId\":\"9dc079cc5ef24811\",\"remote-host\":\"123.456.125.09\",
\"protocol\":\"HTTP/1.1\",\"http.endpoint\":\"POST /storage/e3/createfile/\",
\"RequestID\":\"143185\",\"user-agent\":\"Java/17.0.7\",\"RequestType\":\"TR\"}",
"Kubernetes.node":"hh-10feb4b660.svr.us.sj.net","appId":"5352","hostname":"gg-10geb4b660.svr.us.sj.net"}

{"host":"xx-1345a0196e.svr.am.abcde.net","app_id":"4324","source":"fstatabd","@version":"1",
"log":"{"timestamp":"2023-06-20T15:58:20.505Z","logger":"com.abcde.abcservices.service.ghstreamService",
"instanceId":"abc-atments-service-green-55dbdb5859-75vkl","namespace":"80458d64606-ct-abc-gkp-test",
"platform":"GKP","message":"Received xyz Callback Response for RequestId: 1436, Status code : 200 OK,
Response Payload : Successfully received the response","level":"INFO","traceId":"6491cc9c8bb8f102fafe7b07de24a457",
"spanId":"fafe7b07de24a457","remote-host":"123.027.16.57","protocol":"HTTP/1.1",
"http.endpoint":"GET /ament/p2CallBack","requestType":"RRR","requestId":"1436"}",
"s_sourcetype":"rost","tags":["_dateparsefailure"],
"Kubernetes.node":"xx-1535a0196e.svr.am.abcde.net","appId":"4324","@timestamp":"2023-06-20T15:58:31.263Z"}

{"log":"{\\"timestamp\\":\\"2023-06-21T07:45:54.528Z\\",\\"logger\\":\\"com.csa.fsces.service.3Service\\",
\\"instanceId\\":\\"unw-sthrage-service-green-58694cdbb8-smbjj\\",\\"namespace\\":\\"4248-ct-xrw-gkp-dev\\",
\\"platform\\":\\"GKP\\",\\"message\\":\\"Entity name: NDAN_POSITION_VUE,
Record type: NR, Request Id: 100185, Infdund context: 485640257604\\",
\\"level\\":\\"INFO\\",\\"traceId\\":\\"6492aa2326285332f853f16e2a49fd50\\",
\\"spanId\\":\\"9dc079cc5ef24811\\",\\"remote-host\\":\\"123.456.125.09\\",
\\"protocol\\":\\"HTTP/1.1\\",\\"http.endpoint\\":\\"POST /storage/e3/createfile/\\",
\\"RequestID\\":\\"143185\\",\\"user-agent\\":\\"Java/17.0.7\\",\\"RequestType\\":\\"TR\\"}",
"Kubernetes.node":"hh-10feb4b660.svr.us.sj.net","appId":"5352","hostname":"gg-10geb4b660.svr.us.sj.net"}

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-10-2023 01:34 AM

Use the solution previously accepted.

0 Karma
Reply
Solved! Jump to solution

Sangamesh
Explorer
‎06-21-2023 05:34 AM

Please provide the steps for creation of dynamic dashboard with using the previous solution output.It should include timestamp ,requestId,instanceId,message ,endpoint.

requestid,requesttype should be the dropdown menu and Date should be the calendar text field .based on these combination selections ,it should be populate the data in dashboard

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-21-2023 06:11 AM

Hi @Sangamesh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-18-2023 11:52 PM

Hi @Sangamesh,

please try this regex

requestType\\\\\":\\\\\"(?<requestType>\w+)

that you can test at https://regex101.com/r/WUjcyz/1

Ciao

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...