Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use rex command to extract two fields a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} .
How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "{\"TransactionStatus\":(?<TransactionStatus>[^,]*),\"TransactioName\":\"(?<TransactioName>[^\"]*)\""
| chart count OVER TransactioName BY TransactionStatus
SPECIAL NOTE: Are you sure there is not a missing n in your given text for TransactioName (this may have to be adjusted)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex "{\"TransactionStatus\":(?<TransactionStatus>[^,]*),\"TransactioName\":\"(?<TransactioName>[^\"]*)\""
| chart count OVER TransactioName BY TransactionStatus
SPECIAL NOTE: Are you sure there is not a missing n in your given text for TransactioName (this may have to be adjusted)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mr. Woodcock. This saved me a lot of time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock
btw: Your syntax for "COMMENT" is not wrong, but there is a new one (since 6.5) you might find interesting.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Search/Addcommentstosearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like mine better. When the create a genuine comment command, not a macro, then I will switch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi anuarora
you could use this regex to extract your two fields:
\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\"
you can put it in Field extraction or in rex command
| rex "\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\""
Test it at https://regex101.com/r/8Ff4ji/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried below query but didn't get any success. It is always giving me 0.
sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
