Splunk Search

need help with rex to extract responseMessage as ==> Declined - Do not Honor so that I can stats count by rspCode and respMesage with detail

harishnpandey
Explorer

2019-12-03 17:31:27.633 INFO ,aabbe872bbf3f848,aabbe872bbf3f848,false] 15 --- [nio-8080-exec-5] c.u.f.p.api.impl.: InfoLogging Operation=MakePayment, RequestSourceCode=ZBL, PaymentResponse=class PaymentResponse { responseCode: AB0000 responseMessage: Declined - Do not Honor orderId: 269107641 }

This is just n example . With the rex query I want to list all codes with respMessage

Below rex Query gets me respCode and respMessage part as only "Declined"

rex field=msg "responseCode: (?.[a-z0-9A-Z_-]+)"| rex field=msg "responseMessage: (?.[a-z0-9A-Z_-]+)

Tags (2)
0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw ="2019-12-03 17:31:27.633 INFO ,aabbe872bbf3f848,aabbe872bbf3f848,false] 15 --- [nio-8080-exec-5] c.u.f.p.api.impl.: InfoLogging Operation=MakePayment, RequestSourceCode=ZBL, PaymentResponse=class PaymentResponse { responseCode: AB0000 responseMessage: Declined - Do not Honor orderId: 269107641 }"
| rex mode=sed "s/(\w+): (.+?)(?= \w+\:| })/\"\1\": \"\2\",/g"
| rex "(?<json>\{.+\})"
| spath input=json

make JSON by force.

0 Karma

dindu
Contributor

Hey Harish,

Assuming you want everything in between responseMessage and orderId.
You could use the below SPL.
Replace your query in the line before the rex command.
Please try and let us know

        |makeresults
        |eval _raw ="2019-12-03 17:31:27.633 INFO ,aabbe872bbf3f848,aabbe872bbf3f848,false] 15 --- [nio-8080-exec-5] c.u.f.p.api.impl.: InfoLogging Operation=MakePayment, RequestSourceCode=ZBL, PaymentResponse=class PaymentResponse { responseCode: AB0000 responseMessage: Declined - Do not Honor orderId: 269107641 }"
        |rex field=_raw "responseMessage:(?P<response_message>.+)orderId"
        | table response_message
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming responseMessage is always followed by orderId, this should work.

rex field=msg "responseCode: (?.[a-z0-9A-Z_-]+)"| rex field=msg "responseMessage: (?.[a-z0-9A-Z_-]+) orderId"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...