Splunk Search

Using regex to extract summary

bigll
Path Finder

in raw data I have portion that I would like to use in report.

"changes":{"description":{"before":"<some text or empty>","after":"<some text or empty>"}}

 

I created 

rex summary= "changes":\{"description":\{"before":"<some text or empty>","after":"<some text or empty>"\}\})"

But it doesn't work.

Please advise

Labels (1)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bigll ,

as @ITWhisperer said, this seems to be a json format so the INDEXED_ENTRACTION = json option in props.conf or the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) is the easiest solution to your requirement.

Then the rex command has a different format to extract fields: the fied definition must be located inside the rex definition, as the following example using your data:

| rex "before\":\"(?<summary_before>[^\"]+)\".\"after\":\"(?<summary_after>[^\"]+)"

You can see how to extract and test your regex at https://regex101.com/r/22aHz1/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is not how rex works - you need to provide a pattern as a regular expression to identify what you want to extract. For example, do you want everything from "change" to "}}"? Does this pattern hold true for all your event where you want to extract this field?

Aside from that, this looks like json - why aren't you using spath or the other json functions to extract the json field?

0 Karma

bigll
Path Finder

Thank you for your message.

You are correct, I need everything between {} as a value of the field I can include in the table.


0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| rex "\"changes\":(?<changes>\{.*?\}\})"
0 Karma
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...