Solved: How to extract using rex

avi7326 · ‎10-17-2023

{ [-]
   logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor
   message: Received update request IL_Customer. Size of array: 1
   properties: { [-]
     correlationId: 4b910aaf-d316-4594-8eda-c56e861499d3

I want to extract the IL_customer and array size from the above log. What will be the regular expression.

Thanks in Advance

yuanliu · ‎10-17-2023

The values OP is seeking is in the field message. (From the illustration in OP, the event is JSON - but it is best to illustrate with raw text, not a copy from Splunk's formatted event view.) So

| rex field=message "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

(Also slightly more efficient because the regex engine would be scanning smaller strings.)

View solution in original post

richgalloway · ‎10-17-2023

There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely.

Assuming the order of fields is fixed, this regex should do it.

| rex "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

---
If this reply helps you, Karma would be appreciated.

yuanliu · ‎10-17-2023

The values OP is seeking is in the field message. (From the illustration in OP, the event is JSON - but it is best to illustrate with raw text, not a copy from Splunk's formatted event view.) So

| rex field=message "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

(Also slightly more efficient because the regex engine would be scanning smaller strings.)

How to extract using rex

rex

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment