Splunk Search

Splunk Query Regular Expression

ramzadabala
Observer
 
Dear Team,
 
I've below Splunk log and trying to get stats count based on consumer_application. I've tried below regular expression but no results were returned -
 

Splunk Query: "uri":* (PaymentVerticle) | rex field=_raw "consumer_application\"\:\"(?P<Consumer>.*?)\"" | stats count by Consumer

Splunk Log 2021-04-22T11:31:25.115912284Z app_name=java message={"name":"PaymentVerticle", "timestamp":"2021-04-22T11:31:25.115Z","level":"info","schemaVersion":"0.1","application":{"name":"PaymentVerticle","version":"1.1.1"},"request":{"address":{"uri":"PaymentVerticle"},"metadata":{"correlation_id":"042320210010GMT"}},"message":"Received request with body {\"payment_request\":{\"consumer_application\":\"BLUEPRISM\"}}"}

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ramzadabala,

if in your logs you haven't backslashes before ", your regex is correct.

if instead in your logs you have backslashes before " (as in the sample you shared), the regex isn't correct and you have to modify it in this way:

| rex "consumer_application\\\":\\\"(?P<Consumer>.*?)\\\""

 You can test the regex at https://regex101.com/r/us0W8H/1

Ciao.

Giuseppe

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...