Splunk Search

extract field using rex without using _raw

ksharma7
Path Finder

I have data like

202-06-19T13:02:293 message="event(level=Error name=xyz)

 context: {

Id: 12345,

locale: 'us'

blah blah

 

My objective is to get error count by corresponding to Id . I have a csv say abc.csv from which I have to look up Id and display result only corresponding to the Id present in csv. moreover for some logs id is logged as field but for some it is not getting logged as field. I used below query:

 

index=rxc sourcetype="rxcapp"  (level=ERROR) earliest=-30m | rex field=_raw "Id:[\S\s]+?(?<Id>.\d+)" | search  [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site| stats count by name site level

 

It is giving me result correctly when I search but when I go and commit it on github it throws error like below :

 

REX FIELD checks for use of _raw
FAILURE: in file local/searches.conf in section [ABC 
 Error alert] -> rex field cannot = _raw 

Is there any way I can achieve what I want without using _raw and  "context" is also not logged as field in logs(fyi)

Labels (1)
Tags (2)
0 Karma
1 Solution

ksharma7
Path Finder

Got it by just removing filed and _raw 

 

|rex "Id:\s*(?<Id>\d+),"

View solution in original post

Tags (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Hi,

_raw is the default field for rex. You can use the rex command without specifying the field if you are targetting your raw data (e.g. like you are doing). If you want to rex from a table (e.g. stats result) you need to specify the field.

You can always set up a field extraction in props.conf for your sourcetype. This way you don't need to use rex on your search.

What I don't understand is what you mean with an error thrown with the commit to Github. Do you run Splunk app inspect as some sort of workflow action on commit and that's throwing the errors? If that's the case can you post your search stanza ("[ABC Error alert]") from searches.conf?

Regards

------------
Hope I was able to help you. If so, some karma would be appreciated.
Tags (2)
0 Karma

ksharma7
Path Finder

Got it by just removing filed and _raw 

 

|rex "Id:\s*(?<Id>\d+),"

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...