Splunk Search

different format field extraction using rex

BT
Path Finder

Hello @msu 

Please help me out here.

I was trying to extract a field "faultDescription". but the logs have different format for each event. 

event 1: "faultDescription" : "Backend system error has occurred.",

event 2 : <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

event 3: <soafault:faultDescription>SKU is not provided</soafault:faultDescription>

 

i have tried below rex command, and it works for event 1 and 3. But how to write a command which will extract fault description in all 3 formats.

There is space between faultdescription" and : hence not able to write a expression which will involve all 3 events

 

i have tried : | rex field=_raw "faultDescription+.\s:\s(?P<description>.+)," 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

View solution in original post

BT
Path Finder

Hi Giuseppe,

 

I tried the rex command which was provided by you.. Thank you.. it works perfectly for all events, but when i tried it on splunk for extraction i found out there is another format for which it is not working .

it looks same as event 1, but there is no space between ":" Should i be adding one more | and try it out?

"faultDescription":"No results found for the given ICCID."

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/2

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @BT,

please try this regex

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s+:\s+\"))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/1

Ciao.

Giuseppe

BT
Path Finder

Works like a charm 🙂 thanks a lot for the quick resolution

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @BT,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated ;.)

BT
Path Finder

There is another format . Sorry for missing it out in the begining.

<faultDescription>Backend system error has occurred.</faultDescription>

 

if i remove <soafault:faultDescription\> and replace it with * and write the rex as "((\<*faultDescription\>)|(\"faultDescription\"\s*:\s*\"))(?<faultDescription>[^\"\<]+), then 

<soafault:faultDescription>Backend system error has occurred.</soafault:faultDescription>

is not considered.

1.<soafault:faultDescription>SKU is not provided</soafault:faultDescription>

2."faultDescription" : "Backend system error has occurred."

3.<faultDescription>Backend system error has occurred.</faultDescription>

4."faultDescription":"No results found for the given ICCID."

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BT,

ok, please try this:

| rex "^((\<soafault:faultDescription\>)|(\"faultDescription\"\s*:\s*\")|(\<faultDescription\>))(?<faultDescription>[^\"\<]+)"

that you can test at https://regex101.com/r/UR6ETx/3

Ciao.

Giuseppe

BT
Path Finder

Thank you.. It works !!!!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...