Match two lines of text in an event as single inst...

jmontgomerysc · ‎10-29-2020

For some background on how the data is structured, it is JSON data that I have ingested a specific way, using a regex line break that works the best for most of the type of metrics I'm trying to find so I cant split the events up differently.

Within the JSON there are separate groupings of data that report on specific modules and whether they "pass" or "fail", this is the information I'm trying to pull out. I would like to pull it into a chart to show "this many of "X" passed and this many of "X" failed".

Below is a snippet of the JSON data to show what it looks like. there are over 100 of these grouping within a single JSON. I am trying to pull the "Severity" and "CurrentStatus" values to essentially mark the grouping as "Level2-Passed" and then do this for each grouping that is similar, and for "Level1-Passed" "Level1-Failed" and so on. I am able to get the number of "Severity" values and "Current Status" values but have not been able to correlate the two together.

 {
          "ID": "",
          "Title": "",
          "Rule": "",
          "Severity": "LEVEL II",
          "Version": "",
          "Description": "",
          "Location": "",
          "KeyName": "",
          "KeyType": "",
          "ExpectedValue": "",
          "OriginalValue": "",
          "CurrentValue": "",
          "Options": "",
          "Comments": "",
          "ActionTaken": "",
          "CurrentStatus": "PASSED",
          "Conflict": ""
        },

I have tried using a combo of the following to split the single event into multiple events but have not found a search command that works with this to get the data in a format that will work.

| eval EventGroups=split(_raw,"},")

I have also tried using a number of combinations of rex and regex search commands similar to the below but have not been able to get them to properly

Example:

| rex field=EventGroups "(?<LevelI>(.Severity.*?)(LEVEL I\b))"
| rex field=EventGroups "(?<LevelII>(.Severity.*?)(LEVEL II\b))"
| rex field=EventGroups "(?<LevelIII>(.Severity.*?)(LEVEL III\b))"
| rex field=EventGroups "(?<CurrentStatusPASSED>(.CurrentStatus.*?)(PASSED.))"
| rex field=EventGroups "(?<CurrentStatusFAILED>(.CurrentStatus.*?)(\SFAILED.))"

And...

| rex max_match=0 field=EventGroups "(?<SevCATI_F>(.*?.*\n.*\n.*\n.*\n.*?(\bLEVEL I\b).*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*?\S(\bFAILED\b).*\n.*\n.*?.*))"

Any help or advice with this would be greatly appreciated.

richgalloway · ‎10-29-2020

Perhaps this will help.

... | rex field=EventGroups "Severity\\\: \\\"(?<Severity>[^\\\"]+)"
| rex field=EventGroups "CurrentStatus\\\: \\\"(?<CurrentStatus>[^\\\"]+)"
| eval SevStatus = Severity."-".CurrentStatus
| stats count by SevStatus

---
If this reply helps you, Karma would be appreciated.

jmontgomerysc · ‎10-30-2020

Thanks for the suggestion but, unfortunately, that did not return a stats chart. To hopefully clarify my point in my ramblings in the post, I need to be able to match all occurrences of ("Severity: Level 1" + "CurrentStatus: PASSED" = Level1-Passed) ("Severity: Level 1" + "CurrentStatus: FAILED" = Level1-Failed) and so on for the three "Levels" of Severity. From your suggestion, I think you understanding where I'm trying to get to but just wanted to reiterate what I'm after.

I am able to get the search to make the Severity levels themselves into a field and the CurrentStatus into a field but that does not tell me how many Level 1's failed and how many passed. It seems that when doing a multi-line "rex" statement it's unable to properly pull up anything or make the fields from the rex statement.

Match two lines of text in an event as single instances

chart

field extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!