Solved: Re: Rex Help for fields extraction

sravankaripe · ‎02-13-2017

Please help me with rex
i have key and value in json format

{"context":{

"sessionID":"1234567890",
"eventSeverity":"Debug",
"msgType":"REQUEST",
"appID":"someServices",
"eventID":"START","msgPayload":{"inboundMsg":{"msgContentType":"{"idtypes":["ABCDE","ABC"],"userName":"someName"}"}}}}
how to retrive fields out of it.

skoelpin · ‎02-13-2017

Which value do you want to extract?

View solution in original post

somesoni2 · ‎02-13-2017

Try like this. The rex-sed command is requires as your data seems to have extra double quotes making it not pure json.

your current search which includes field _raw | rex mode=sed "s/\"{/{/g" | spath

somesoni2 · ‎02-13-2017

Is this _raw or a field?

sravankaripe · ‎02-13-2017

Yes,this is _raw field

skoelpin · ‎02-13-2017

Which value do you want to extract?

sravankaripe · ‎02-13-2017

sessionID,eventSeverity,msgType,appID,eventID,msgPayload,inboundMsg,msgContentType,idtypes,userName

skoelpin · ‎02-13-2017

I'd recommend kv_mode=json

But if you want to see how it's done then here ya go

... | rex sessionID\"\:\"(?<SessionID>\d+)
... | rex eventSeverity\"\:\"(?<EventSeverity>\w+)
... | rex msgType\"\:\"(?<msgType>\w+)
... | rex appID\"\:\"(?<AppID>\w+)
... | rex eventID\"\:\"(?<EventID>\w+)

sravankaripe · ‎02-13-2017

"idtypes":["ABCDE","XYZ"]

how to write for this

dbcase · ‎02-13-2017

what do you want to extract? ABCDE or XYZ, or the whole string ABCDE,XYZ?

sravankaripe · ‎02-13-2017

["ABCDE","XYZ"]

entire this value

skoelpin · ‎02-13-2017

Here ya go. If this answered your question, can you please accept it?

idtypes":\["(?<Name1>\w+)"\,"(?<Name2>\w+)

dbcase · ‎02-13-2017

try this:

"idtypes":(?<idtypes>\S+)[,]

sjalexander · ‎02-13-2017

if you can add
KV_MODE = json
to your props.conf for this sourcetype it's going to save you a lot of trouble (extraction will be automatic).

rex is most useful when automatic extraction fails; try the builtin functionality first.

more details available here:
https://answers.splunk.com/answers/124406/extracting-fields-from-json-file-format.html

sravankaripe · ‎02-13-2017

I need during search time.

sjalexander · ‎02-13-2017

understood. If this is something you're going to do on an ongoing basis, it's still a very good idea to get this stuff indexed in a usable manner instead of relying on searchtime hacks. If it's a one-off, carry on 🙂

Rex Help for fields extraction

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...