Splunk Search

Would you create rex or regex to extract a string and create a new field?

dwong2
New Member

I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
0 Karma

amiftah
Communicator

@ddrillic you can use the sed command to replace : by = :
| rex field=_raw mode=sed "s/:/=/g"

ddrillic
Ultra Champion

So, great, we can replace the : with = and then the fields should be automatically detected.

0 Karma

hos_2
Path Finder

This will work much better and faster then my previous regex.

0 Karma

ddrillic
Ultra Champion

Is there a way to convert the : to = in the log file?

0 Karma

j_cabanillas
Explorer

Add this to your search

index=my index  |rex field=source "\"action\":\"(?<action>[^\"]+)" |  

If you don't want to get the action=Exit let me know

0 Karma

j_cabanillas
Explorer

you can do the same for other fields constants like dateTime ID account

0 Karma

amiftah
Communicator

Did you miss a quote after "page:?
Can you show what's after page:? can action have multiple values separated by :?

0 Karma

hos_2
Path Finder

If there is more data after page: then use this:

"action":"(?<test>\w+|.+)"

This will grab everything inside the quotes

0 Karma

hos_2
Path Finder

Hi dwong2,

Try it in https://regex101.com/

"action":"(?<test>\w+|.+)"

Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".

0 Karma

dwong2
New Member

If i wanted to search for this instead "action":"page: ?

0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...