Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use rex to extract JSON text in "ip" keyValue pair?

Raymundo
Loves-to-Learn
‎01-28-2022 10:55 PM

I have a json raw string from which I have to extract the           "Source device","values":[{"ip":            key and pair value. Can you please assist. The log line looks like below:

"Source device","values":[{"ip":"10.10.10.10","mac"

 I want to extract the ip address:

10.10.10.10

Labels (2)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-30-2022 12:21 AM

If the source is conforming JSON, you shouldn't need to use regex to extract such data.  If the above is how a fully line looks like, the full JSON message is perhaps something like

 

{...,"somekey":
"Source device","values":[{"ip":"10.10.10.10","mac"
:"12:34:56:78:9a:bc"},...],...}

 

But no matter how the full JSON message is broken up in multiple lines, spath should be able to handle it.  Using a build-in command/function to extract structured data is much more robust.  So, I recommend to focus on getting the full JSON message.  Assuming the JSON message is in jsonfield, the following will catch the source device

| spath input=jsonfield
| where somekey == "Source device"
| rename values{}.* AS source_*

The source IP address, for example, will be in source_ip field.

Tags (1)
0 Karma
Reply

Raymundo
Loves-to-Learn
‎01-28-2022 11:35 PM

Thanks @gcusello 

For example I am trying to see how I can extract the ip whenever it is after the text: "Source device","values":[{"ip":

Log:
{"type":"device","key":"Source device","values":[{"ip":"10.10.10.10","mac"

 

try the following statement but it didn't work:

| rex field=_raw ".*,\"Source device\",\"values\":"\[\{\"ip\":"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""

"Source device\",\"values\":"\[\{\"ip\": | rex field=_raw "(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| rex field=_raw "Source device,value:\S{\w+:(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2022 10:42 PM

Hi @Raymundo,

you can try my previous regex, but if you have more ips in your logs, you could use this:

| rex "\{\"type\":\"device\",\"key\":\"Source device\",\"values\":\[{\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\",\"mac\""

that you can test at https://regex101.com/r/fiCXZP/1

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-29-2022 12:01 AM 
| rex field=_raw ".*,\"Source device\",\"values\":\[\{\"ip\":\"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2022 11:04 PM

Hi @Raymundo,

you have two ways:

you can use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath),

or a regex like the following:

| rex "\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\""

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top