Splunk Search

How to use rex to extract JSON text in "ip" keyValue pair?

Raymundo
Loves-to-Learn

I have a json raw string from which I have to extract the           "Source device","values":[{"ip":            key and pair value. Can you please assist. The log line looks like below:

"Source device","values":[{"ip":"10.10.10.10","mac"

 I want to extract the ip address:

10.10.10.10

Labels (2)
Tags (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the source is conforming JSON, you shouldn't need to use regex to extract such data.  If the above is how a fully line looks like, the full JSON message is perhaps something like

 

{...,"somekey":
"Source device","values":[{"ip":"10.10.10.10","mac"
:"12:34:56:78:9a:bc"},...],...}

 

But no matter how the full JSON message is broken up in multiple lines, spath should be able to handle it.  Using a build-in command/function to extract structured data is much more robust.  So, I recommend to focus on getting the full JSON message.  Assuming the JSON message is in jsonfield, the following will catch the source device

| spath input=jsonfield
| where somekey == "Source device"
| rename values{}.* AS source_*

The source IP address, for example, will be in source_ip field.

Tags (1)
0 Karma

Raymundo
Loves-to-Learn

Thanks @gcusello 

For example I am trying to see how I can extract the ip whenever it is after the text: "Source device","values":[{"ip":

Log:
{"type":"device","key":"Source device","values":[{"ip":"10.10.10.10","mac"

 

try the following statement but it didn't work:

| rex field=_raw ".*,\"Source device\",\"values\":"\[\{\"ip\":"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""

"Source device\",\"values\":"\[\{\"ip\": | rex field=_raw "(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| rex field=_raw "Source device,value:\S{\w+:(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Raymundo,

you can try my previous regex, but if you have more ips in your logs, you could use this:

| rex "\{\"type\":\"device\",\"key\":\"Source device\",\"values\":\[{\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\",\"mac\""

that you can test at https://regex101.com/r/fiCXZP/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=_raw ".*,\"Source device\",\"values\":\[\{\"ip\":\"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Raymundo,

you have two ways:

you can use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath),

or a regex like the following:

| rex "\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\""

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...