Splunk Search

extract field using rex without using _raw

ksharma7
Path Finder

I have data like

202-06-19T13:02:293 message="event(level=Error name=xyz)

 context: {

Id: 12345,

locale: 'us'

blah blah

 

My objective is to get error count by corresponding to Id . I have a csv say abc.csv from which I have to look up Id and display result only corresponding to the Id present in csv. moreover for some logs id is logged as field but for some it is not getting logged as field. I used below query:

 

index=rxc sourcetype="rxcapp"  (level=ERROR) earliest=-30m | rex field=_raw "Id:[\S\s]+?(?<Id>.\d+)" | search  [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site| stats count by name site level

 

It is giving me result correctly when I search but when I go and commit it on github it throws error like below :

 

REX FIELD checks for use of _raw
FAILURE: in file local/searches.conf in section [ABC 
 Error alert] -> rex field cannot = _raw 

Is there any way I can achieve what I want without using _raw and  "context" is also not logged as field in logs(fyi)

Labels (1)
Tags (2)
0 Karma
1 Solution

ksharma7
Path Finder

Got it by just removing filed and _raw 

 

|rex "Id:\s*(?<Id>\d+),"

View solution in original post

Tags (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Hi,

_raw is the default field for rex. You can use the rex command without specifying the field if you are targetting your raw data (e.g. like you are doing). If you want to rex from a table (e.g. stats result) you need to specify the field.

You can always set up a field extraction in props.conf for your sourcetype. This way you don't need to use rex on your search.

What I don't understand is what you mean with an error thrown with the commit to Github. Do you run Splunk app inspect as some sort of workflow action on commit and that's throwing the errors? If that's the case can you post your search stanza ("[ABC Error alert]") from searches.conf?

Regards

------------
Hope I was able to help you. If so, some karma would be appreciated.
Tags (2)
0 Karma

ksharma7
Path Finder

Got it by just removing filed and _raw 

 

|rex "Id:\s*(?<Id>\d+),"

Tags (1)
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...