Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex extraction xsd tag

indeed_2000
Motivator
‎10-02-2021 05:52 AM

Hi what is the rex for "No is invalid. Please ask to a admin"

Here is the log:

21:32:26.729 customer modules: type="xsd:string">&lt;response&gt;&lt;result&gt;ActionFail&lt;/result&gt;&lt;errno&gt;00000&lt;/errno&gt;&lt;desc&gt;No is invalid. Please ask to a admin&lt;/desc&gt;&lt;jobid&gt;000000&lt;/jobid&gt;&lt;msgid&gt;00000&lt;/msgid&gt;&lt;cmd&gt;info&lt;/cmd&gt;&lt;/response&gt;</return></ad1:

Thanks,

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2021 07:46 AM

Hi @indeed_2000,

sorry but I don't understand what you realy want:

if you want to search the string, you don't need the regex and you can use the Splunk search;

If you want to use the regex command to search the string, you can use the command

| regex "No is invalid. Please ask to a admin"

Your log seems to be a Json log, so you could use the "spath" command

if you want to extract the "desc" field (that  in this case is  "No is invalid. Please ask to a admin"), you could use the rex command:

| rex "\<desc\>(?<desc>[^\<]+)\<\/desc\>"

or the rex command

| rex "\&lt;desc\&gt;(?<desc>[^\<]+)\&lt;\/desc\&gt;"

Let me know.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2021 07:46 AM

Hi @indeed_2000,

sorry but I don't understand what you realy want:

if you want to search the string, you don't need the regex and you can use the Splunk search;

If you want to use the regex command to search the string, you can use the command

| regex "No is invalid. Please ask to a admin"

Your log seems to be a Json log, so you could use the "spath" command

if you want to extract the "desc" field (that  in this case is  "No is invalid. Please ask to a admin"), you could use the rex command:

| rex "\<desc\>(?<desc>[^\<]+)\<\/desc\>"

or the rex command

| rex "\&lt;desc\&gt;(?<desc>[^\<]+)\&lt;\/desc\&gt;"

Let me know.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

indeed_2000
Motivator
‎10-02-2021 11:02 AM

second rex work perfectly.

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...