Splunk Search

Query Rex

StepneyGeezer
Explorer

Hello

 

Am a newbie and am looking to extract data from a sample set that looks like this (its ingested in JSON):

{
   levelinfo
   loguid="302650",  a_msg="HandlingStatus=Finished, Message=Changed
   log_typecontainerlogs
   streamstdout

}

 

I want to extract the uid data as well as the Message which is inside the a_msg.

I have 

rex field=log "uid=\"(?<uid>\d{1,}+)"

which gives me the uid, but I am REALLY struggling with the Message, ideally I would like a table to be produced so from the above data it would look like

UID, Message

-------------------

302650, PlanChanged

 

I am reading up on Rex and Reg Ex etc, but this particular request requires a quick turnaround and i am really struggling.  Any help would be appreciated.

 

Many thanks

Labels (2)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

No wonder you are struggling - this doesn't look like correctly formatted JSON - the rex you said works, doesn't work with the string you just post since it includes backslashes which are not in the rex you shared. If the backslashes really exist in your data, try something like this (the first part before the blank lines just sets up the data you shared.

| makeresults
| eval _raw="{\"log\":\"a_level=\\\"INFO\\\", a_uid=\\\"302650\\\", a_msg=\\\"HandlingStatus=Finished, Message=PlanChanged, MessageId=0c0277da-4b4a-4c4d-abcd-49b8c1e3f896, Result=True\\\", \"level\":\"info\"}"




| rex "uid=\\\\\"(?<uid>\d+).+Message=(?<message>[^,]+)"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share the raw event in a code block </> rather than a formatted version of the event?

0 Karma

StepneyGeezer
Explorer
{"log":"a_level=\"INFO\", a_uid=\"302650\", a_msg=\"HandlingStatus=Finished, Message=PlanChanged, MessageId=0c0277da-4b4a-4c4d-abcd-49b8c1e3f896, Result=True\", "level":"info"}

Thanks @ITWhisperer  - you getting me excited, i have spent ages on this 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

No wonder you are struggling - this doesn't look like correctly formatted JSON - the rex you said works, doesn't work with the string you just post since it includes backslashes which are not in the rex you shared. If the backslashes really exist in your data, try something like this (the first part before the blank lines just sets up the data you shared.

| makeresults
| eval _raw="{\"log\":\"a_level=\\\"INFO\\\", a_uid=\\\"302650\\\", a_msg=\\\"HandlingStatus=Finished, Message=PlanChanged, MessageId=0c0277da-4b4a-4c4d-abcd-49b8c1e3f896, Result=True\\\", \"level\":\"info\"}"




| rex "uid=\\\\\"(?<uid>\d+).+Message=(?<message>[^,]+)"

StepneyGeezer
Explorer

@ITWhisperer awesome thank you, this has saved me so much time.  it is producing what i need now albeit there are some anomalies in the data but i know what to do from here...thank you so much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...