Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex help

surekhasplunk
Communicator
‎09-25-2020 03:15 AM

Hello,

index=myindex| spath "Rules{}" output=rules |mvexpand rules
 | table device ip rules

Now my rules has data like below:

rules

{"name": "abc def - 123", "result": true}

i want to now make it into two columns rule_name and rule_result

can you please help me with the regex. 

 

 

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 03:44 AM

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2020 04:15 AM

Why rex and not spath again?

| spath input=rules ...
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-25-2020 05:08 AM

Hi @ITWhisperer .. i am from a sabbatical vacation and also i havent used spath. so i miss some context here. 

may i know how spath can do the job of rex?(this is what my understanding from ur reply)..

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2020 05:23 AM

Hi @inventsekar 

spath is used for parsing and extracting fields from JSON and XML strings. In this instance, spath was used to extract the rules from _raw (which must have been JSON)

index=myindex| spath "Rules{}" output=rules |mvexpand rules

  It yielded the next level down which appears to be more JSON

{"name": "abc def - 123", "result": true}

 So spath could have been used to extract these fields too

| spath input=rules
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 03:44 AM

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 05:01 AM

Hi @surekhasplunk,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...