Solved: Re: different format field extraction using rex

BT · ‎02-02-2022

Hello @Anonymous

Please help me out here.

I was trying to extract a field "faultDescription". but the logs have different format for each event.

event 1: "faultDescription" : "Backend system error has occurred.",

event 2 : <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

event 3: <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

i have tried below rex command, and it works for event 1 and 3. But how to write a command which will extract fault description in all 3 formats.

There is space between faultdescription" and : hence not able to write a expression which will involve all 3 events

i have tried : | rex field=_raw "faultDescription+.\s:\s(?P<description>.+),"

gcusello · ‎02-02-2022

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

View solution in original post

BT · ‎02-02-2022

Hi Giuseppe,

I tried the rex command which was provided by you.. Thank you.. it works perfectly for all events, but when i tried it on splunk for extraction i found out there is another format for which it is not working .

it looks same as event 1, but there is no space between ":" Should i be adding one more | and try it out?

"faultDescription":"No results found for the given ICCID."

gcusello · ‎02-02-2022

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/2

Ciao.

Giuseppe

gcusello · ‎02-02-2022

Hi @BT,

please try this regex

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s+:\s+\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/1

Ciao.

Giuseppe

BT · ‎02-02-2022

Works like a charm 🙂 thanks a lot for the quick resolution

gcusello · ‎02-02-2022

hi @BT,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated ;.)

BT · ‎02-02-2022

There is another format . Sorry for missing it out in the begining.

<faultDescription>Backend system error has occurred.</faultDescription>

if i remove <soafault:faultDescription\> and replace it with * and write the rex as "((\<*faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+), then

<soafault:faultDescription>Backend system error has occurred.</soafault:faultDescription>

is not considered.

1.<soafault:faultDescription>SKU is not provided</soafault:faultDescription>

2."faultDescription" : "Backend system error has occurred."

3.<faultDescription>Backend system error has occurred.</faultDescription>

4."faultDescription":"No results found for the given ICCID."

gcusello · ‎02-02-2022

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

BT · ‎02-02-2022

Thank you.. It works !!!!!!

different format field extraction using rex

field extraction

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

different format field extraction using rex

field extraction

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk