Solved: regex help

surekhasplunk · ‎05-19-2020

{"device":"abcd","host":"1.2.3.4"}
{"device":"efgh [ = ILO = ]","host":"2.3.4.5"}
{"device":"qrst - [ab cd ef]","host":"4.5.6.7"}

My data looks like this in the _raw.

now i am trying to fetch device and host using regex. please help. It should be simple but since host is a default keyword the host from which data is coming is also coming with field name host so i need to rename host coming in _raw to ip

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

View solution in original post

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

vnravikumar · ‎05-19-2020

Hi

Try this rex

|rex "\"device\"\:\"(?P<device>[^"]+)\"\,\"host\"\:\"(?P<ip>[^"]+)"

regex help

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring