Re: Help with Regex

vp · ‎09-30-2022

I am trying to extract field from the "textPayload" value which is log message and it has "status" as key.

I want to make my search by extracting "status" as a field and apply for creating alerts.

Here is the regex i generated and working in regex101 >> \\"status\\":\\"(?<status>[^\"]+)

Here is our sample log

================================================================================

{"insertId":"l9ple6wfkvbdfasfdsfdwyoo","labels":{"compute.googleapis.com/resource_name":"gke-default-node-poo-4e912bb9-vrl1","k8s-pod/app":"some-service,"k8s-pod/environment":"dev","k8s-pod/part-of":"some-service","k8s-pod/pod-template-hash":"79cb686fcf","k8s-pod/security_istio_io/tlsMode":"istio","k8s-pod/service_istio_io/canonical-name":"some-service","k8s-pod/service_istio_io/canonical-revision":"v1","k8s-pod/stage":"dev","k8s-pod/version":"v1"},"logName":"projects/abc-dev/logs/stdout","receiveTimestamp":"2022-09-30T15:00:05.2690572Z","resource":{"labels":{"cluster_name":"-gke-dev","container_name":"some-service-v1","location":"us-east4","namespace_name":"dev","pod_name":"some-service-v1-79cb686fcf-x2frb","project_id":"gke-dev"},"type":"k8s_container"},"severity":"INFO","textPayload":"2022-09-30 15:00:00.952 INFO 1 --- [nio-8080-exec-8] c.a.a.a.controller.BrokerController : {\"classification\"😕"NORMAL\",\"action\"😕"ALERT\",\"host\"😕"asome-service-v1-79cb686fcf-x2frb\",\"ipAddr\"😕"10.143.104.169\",\"status\"😕"SUCCESS\",\"time\"😕"2022-09-30T15:00:00.952Z\",\"msg\"😕"getToken - Start\"}","timestamp":"2022-09-30T15:00:00.95264915Z"}

johnhuang · ‎09-30-2022

<base search>
| rex "\{\x5c\"(?<_raw>[^\}]*)"
| rex field=_raw mode=sed "s/\\\|\"//g"
| kv pairdelim="," kvdelim=":"

How to to extract field from the "textPayload" value?

regex

rex

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor