Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Would you create rex or regex to extract a string and create a new field?

dwong2
New Member
โ€Ž06-27-2018 02:20 PM

I have the raw data below. How do I get the strings after the "action": and put all the results into a new field? 

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
0 Karma
Reply

amiftah
Communicator
โ€Ž06-27-2018 06:28 PM

@ddrillic you can use the sed command to replace : by = :
| rex field=_raw mode=sed "s/:/=/g"

Reply

ddrillic
Ultra Champion
โ€Ž06-28-2018 06:56 AM

So, great, we can replace the : with = and then the fields should be automatically detected.

0 Karma
Reply

hos_2
Path Finder
โ€Ž06-28-2018 10:00 AM

This will work much better and faster then my previous regex.

0 Karma
Reply

ddrillic
Ultra Champion
โ€Ž06-27-2018 03:27 PM

Is there a way to convert the : to = in the log file?

0 Karma
Reply

j_cabanillas
Explorer
โ€Ž07-20-2018 10:43 AM

Add this to your search

index=my index  |rex field=source "\"action\":\"(?<action>[^\"]+)" |

If you don't want to get the action=Exit let me know

0 Karma
Reply

j_cabanillas
Explorer
โ€Ž07-20-2018 10:46 AM

you can do the same for other fields constants like dateTime ID account

0 Karma
Reply

amiftah
Communicator
โ€Ž06-27-2018 03:06 PM

Did you miss a quote after "page:?
Can you show what's after page:? can action have multiple values separated by :?

0 Karma
Reply

hos_2
Path Finder
โ€Ž06-27-2018 03:32 PM

If there is more data after page: then use this:

"action":"(?<test>\w+|.+)"

This will grab everything inside the quotes

0 Karma
Reply

hos_2
Path Finder
โ€Ž06-27-2018 02:58 PM

Hi dwong2,

Try it in https://regex101.com/

"action":"(?<test>\w+|.+)"

Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".

0 Karma
Reply

dwong2
New Member
โ€Ž06-27-2018 03:43 PM

If i wanted to search for this instead "action":"page: ?

0 Karma
Reply