Splunk Search

Would you create rex or regex to extract a string and create a new field?

New Member

I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}

{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
0 Karma

Communicator

@ddrillic you can use the sed command to replace : by = :
| rex field=_raw mode=sed "s/:/=/g"

Ultra Champion

So, great, we can replace the : with = and then the fields should be automatically detected.

0 Karma

Path Finder

This will work much better and faster then my previous regex.

0 Karma

Ultra Champion

Is there a way to convert the : to = in the log file?

0 Karma

Explorer

Add this to your search

index=my index  |rex field=source "\"action\":\"(?<action>[^\"]+)" |  

If you don't want to get the action=Exit let me know

0 Karma

Explorer

you can do the same for other fields constants like dateTime ID account

0 Karma

Communicator

Did you miss a quote after "page:?
Can you show what's after page:? can action have multiple values separated by :?

0 Karma

Path Finder

If there is more data after page: then use this:

"action":"(?<test>\w+|.+)"

This will grab everything inside the quotes

0 Karma

Path Finder

Hi dwong2,

Try it in https://regex101.com/

"action":"(?<test>\w+|.+)"

Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".

0 Karma

New Member

If i wanted to search for this instead "action":"page: ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!