Solved: Re: How to use rex to extract JSON text in "msg" k...

kabSplunk · ‎10-21-2016

I have a json raw string from which I have to extract the "msg" key and pair value. Can you please assist. The log line looks like below:

<6>2015-11-26T17:00:15Z x45678fnjotq5 doe[88]: {"ddcfa_app_id":"asdkhad23423864-d987r89fsd-234234gsf-234jsfgsa","ddcfa_app_name":"paymentManagementApplication","ddcfa_org_id":"asdkhad23423864-d987r89fsd-234234gsf-234jsfgsasdas63g3664-s35d-33sfa","ddcfa_space_name":"noShowMessage","event_type":"LogMessage","level":"info","message_type":"OUT","msg":"DEBUG --- [ Msync160670] c.c.internal.pmtdev.CacheUtilBean : :: Exiting Method ---\u003e com.internal.pmtdev.cache.fetchDataFromIndexedEventsDaily()","origin":"rep","source_instance":"0","source_type":"APP","time":"2015-11-26T17:00:15Z","timestamp":1477069200012312311}

I want to extract "msg" field's "value":

DEBUG --- [ Msync160670] c.c.internal.pmtdev.CacheUtilBean : :: Exiting Method ---\u003e com.internal.pmtdev.cache.fetchDataFromIndexedEventsDaily()

gokadroid · ‎10-22-2016

yourBaseQuery
|rex ".*,\"msg\":\"(?<message>.*)\",\"origin\""
| complete yourSearch

View solution in original post

vaizpatu · ‎08-05-2022

.*"msg":"(?P<message>[^="]+).*

gokadroid · ‎10-22-2016

yourBaseQuery
|rex ".*,\"msg\":\"(?<message>.*)\",\"origin\""
| complete yourSearch

gokadroid · ‎03-10-2021

Adding this for reference @bsrikanthreddy5

`|eval nowstring=strftime(now(), "%Y-%m-%d")`

adayton20 · ‎10-22-2016

Is this what you're looking for?

 ... | rex field=_raw "msg\":\"(?P<msg>.[^\"\,\"]*)" | table msg

Appears to work for me:

How to use rex to extract JSON text in "msg" keyValue pair?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)