Splunk Search

Would you create rex or regex to extract a string and create a new field?

dwong2
New Member

I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
0 Karma

amiftah
Communicator

@ddrillic you can use the sed command to replace : by = :
| rex field=_raw mode=sed "s/:/=/g"

ddrillic
Ultra Champion

So, great, we can replace the : with = and then the fields should be automatically detected.

0 Karma

hos_2
Path Finder

This will work much better and faster then my previous regex.

0 Karma

ddrillic
Ultra Champion

Is there a way to convert the : to = in the log file?

0 Karma

j_cabanillas
Explorer

Add this to your search

index=my index  |rex field=source "\"action\":\"(?<action>[^\"]+)" |  

If you don't want to get the action=Exit let me know

0 Karma

j_cabanillas
Explorer

you can do the same for other fields constants like dateTime ID account

0 Karma

amiftah
Communicator

Did you miss a quote after "page:?
Can you show what's after page:? can action have multiple values separated by :?

0 Karma

hos_2
Path Finder

If there is more data after page: then use this:

"action":"(?<test>\w+|.+)"

This will grab everything inside the quotes

0 Karma

hos_2
Path Finder

Hi dwong2,

Try it in https://regex101.com/

"action":"(?<test>\w+|.+)"

Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".

0 Karma

dwong2
New Member

If i wanted to search for this instead "action":"page: ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...