Splunk Search

How to use rex to extract JSON text in "ip" keyValue pair?

Raymundo
Loves-to-Learn

I have a json raw string from which I have to extract the           "Source device","values":[{"ip":            key and pair value. Can you please assist. The log line looks like below:

"Source device","values":[{"ip":"10.10.10.10","mac"

 I want to extract the ip address:

10.10.10.10

Labels (2)
Tags (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the source is conforming JSON, you shouldn't need to use regex to extract such data.  If the above is how a fully line looks like, the full JSON message is perhaps something like

 

{...,"somekey":
"Source device","values":[{"ip":"10.10.10.10","mac"
:"12:34:56:78:9a:bc"},...],...}

 

But no matter how the full JSON message is broken up in multiple lines, spath should be able to handle it.  Using a build-in command/function to extract structured data is much more robust.  So, I recommend to focus on getting the full JSON message.  Assuming the JSON message is in jsonfield, the following will catch the source device

| spath input=jsonfield
| where somekey == "Source device"
| rename values{}.* AS source_*

The source IP address, for example, will be in source_ip field.

Tags (1)
0 Karma

Raymundo
Loves-to-Learn

Thanks @gcusello 

For example I am trying to see how I can extract the ip whenever it is after the text: "Source device","values":[{"ip":

Log:
{"type":"device","key":"Source device","values":[{"ip":"10.10.10.10","mac"

 

try the following statement but it didn't work:

| rex field=_raw ".*,\"Source device\",\"values\":"\[\{\"ip\":"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""

"Source device\",\"values\":"\[\{\"ip\": | rex field=_raw "(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| rex field=_raw "Source device,value:\S{\w+:(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Raymundo,

you can try my previous regex, but if you have more ips in your logs, you could use this:

| rex "\{\"type\":\"device\",\"key\":\"Source device\",\"values\":\[{\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\",\"mac\""

that you can test at https://regex101.com/r/fiCXZP/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=_raw ".*,\"Source device\",\"values\":\[\{\"ip\":\"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\""
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Raymundo,

you have two ways:

you can use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath),

or a regex like the following:

| rex "\"ip\":\"(?<ip>\d+\.\d+\.\d+\.\d+)\""

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...