Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to create a table from fields extracted from a JSON using regex

nikhil108
Observer
‎07-08-2021 03:36 AM

Hi All,

I wrote a regular expression to extract fields from an event containing data in the JSON format. The regular expression seems to be working fine on https://regex101.com/ but I am not able to transform extracted fields in the tabular format.

Below is the query with regular expression:

index="index_name" "<search term>" | rex field=_raw "\"(errorId)\":(?<errorId>.*),\"(errorMessage)\":(?<errorMessage>.*),\"(exceptionStackTrace)\":(?<exceptionStackTrace>.*),\"(userId)\":(?<userId>.*),\"(requestUri)\":(?<requestUri>.*)}"

Below is the extended query to transform it into a table:

index="index_name" "[search term]" | rex field=_raw "\"(errorId)\":(?<errorId>.*),\"(errorMessage)\":(?<errorMessage>.*),\"(userId)\":(?<userId>.*),\"(requestUri)\":(?<requestUri>.*)}" | table _time errorId errorMessage userId requestUri

Not able to see data in the columns except for _time. Below is the log data:

14321 <14>1 2021-07-07T09:39:53.222524+00:00 service-name 3d5c6a75-9e10-4fad-85bc-9ab8460a2a36 [APP/PROC/WEB/0] - - 2021-07-07 09:39:53,222 [http-nio-8080-exec-7] [ERROR] [Trace: Span: ] [searchTerm] {"errorId":"c9fb515d-5e63-4d30-ae0a-3aea707eea18","errorMessage":"custom error message","userId":"test id 100","requestUri":"uri=/employee/list"}

This is a sample log data but the actual data could be quite complex.

Can anyone please help?

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2021 03:54 AM

Do you need the double quotes included in the field values? If not, try something like this

index="index_name" "[search term]" | rex field=_raw "\"errorId\":\"(?<errorId>[^\"]+)\",\"errorMessage\":\"(?<errorMessage>[^\"]+)\",\"userId\":\"(?<userId>[^\"]+)\",\"requestUri\":\"(?<requestUri>[^\"]+)\"}" | table _time errorId errorMessage userId requestUri
0 Karma
Reply

nikhil108
Observer
‎07-08-2021 04:21 AM

Hi @ITWhisperer 

Thanks for replying. The regular expression you have shared is working fine on  https://regex101.com/ and returns the fields without double quotes. But not able to see data in the table. The same issue still persists. 

FYI, I am using Splunk Enterprise 7.1.4.

Thanks.

Thanks.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2021 05:19 AM

Are you saying that the rex works in search and returns data in the fields but the table command removes all the events, or that the expression works in regex101 and extracts the fields correctly there but not with your real data in splunk search? Does your real data perhaps include white spaces which are not present in your example?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top