Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

different format field extraction using rex

BT
Path Finder
‎02-02-2022 01:52 AM

Hello @Anonymous 

Please help me out here.

I was trying to extract a field "faultDescription". but the logs have different format for each event. 

event 1: "faultDescription" : "Backend system error has occurred.",

event 2 : <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

event 3: <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

 

i have tried below rex command, and it works for event 1 and 3. But how to write a command which will extract fault description in all 3 formats.

There is space between faultdescription" and : hence not able to write a expression which will involve all 3 events

 

i have tried : | rex field=_raw "faultDescription+.\s:\s(?P<description>.+)," 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 05:31 AM

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

BT
Path Finder
‎02-02-2022 02:20 AM

Hi Giuseppe,

 

I tried the rex command which was provided by you.. Thank you.. it works perfectly for all events, but when i tried it on splunk for extraction i found out there is another format for which it is not working .

it looks same as event 1, but there is no space between ":" Should i be adding one more | and try it out?

"faultDescription":"No results found for the given ICCID."

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 02:44 AM

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/2

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 02:01 AM

Hi @BT,

please try this regex

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s+:\s+\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

BT
Path Finder
‎02-02-2022 02:54 AM

Works like a charm 🙂 thanks a lot for the quick resolution

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 03:05 AM

hi @BT,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated ;.)

Reply
Solved! Jump to solution

BT
Path Finder
‎02-02-2022 04:20 AM

There is another format . Sorry for missing it out in the begining.

<faultDescription>Backend system error has occurred.</faultDescription>

 

if i remove <soafault:faultDescription\> and replace it with * and write the rex as "((\<*faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+), then 

<soafault:faultDescription>Backend system error has occurred.</soafault:faultDescription>

is not considered.

1.<soafault:faultDescription>SKU is not provided</soafault:faultDescription>

2."faultDescription" : "Backend system error has occurred."

3.<faultDescription>Backend system error has occurred.</faultDescription>

4."faultDescription":"No results found for the given ICCID."

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 05:31 AM

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

Reply
Solved! Jump to solution

BT
Path Finder
‎02-02-2022 05:34 AM

Thank you.. It works !!!!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...