Re: parse and index json fields from string messag...

vashodha · ‎02-18-2021

Hello,

I have log in the format

"2021-02-18T16:17:12,189Z [main] INFO logname -streamstart-k1:V1,K2:V2,K3:V3,streamstop, <ADDIITONAL DATA>" i want to parse out json elements k1:v1 etc thats between "-streamstart" and streamstop

b4badri · ‎02-18-2021

Try this

rex "streamstart(?<myvariable>(.*)(?=streamstop))"

vashodha · ‎02-18-2021

it does the job but still dosent index the fields its extracted it out to the variable can we somehow index these csv values

vashodha · ‎02-18-2021

This gives me what i want but i am unable to index it in splunk

(?<=streamstart-).*?(?=streamstop)

b4badri · ‎02-18-2021

Hi @vashodha

Yes. Data extracted using rex in the search time will only be available for the search. You need to follow series of steps based on your Splunk solution for creating fields at Index time.

Please refer the below article.

Create custom fields at index time - Splunk Documentation

parse and index json fields from string message

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation