Solved: How to extract using rex

avi7326 · ‎10-17-2023

{ [-]
   logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor
   message: Received update request IL_Customer. Size of array: 1
   properties: { [-]
     correlationId: 4b910aaf-d316-4594-8eda-c56e861499d3

I want to extract the IL_customer and array size from the above log. What will be the regular expression.

Thanks in Advance

yuanliu · ‎10-17-2023

The values OP is seeking is in the field message. (From the illustration in OP, the event is JSON - but it is best to illustrate with raw text, not a copy from Splunk's formatted event view.) So

| rex field=message "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

(Also slightly more efficient because the regex engine would be scanning smaller strings.)

View solution in original post

richgalloway · ‎10-17-2023

There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely.

Assuming the order of fields is fixed, this regex should do it.

| rex "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

---
If this reply helps you, Karma would be appreciated.

yuanliu · ‎10-17-2023

The values OP is seeking is in the field message. (From the illustration in OP, the event is JSON - but it is best to illustrate with raw text, not a copy from Splunk's formatted event view.) So

| rex field=message "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"

(Also slightly more efficient because the regex engine would be scanning smaller strings.)

How to extract using rex

rex

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies