Solved: rex help

surekhasplunk · ‎09-25-2020

Hello,

index=myindex| spath "Rules{}" output=rules |mvexpand rules
| table device ip rules

Now my rules has data like below:

rules

{"name": "abc def - 123", "result": true}

i want to now make it into two columns rule_name and rule_result

can you please help me with the regex.

gcusello · ‎09-25-2020

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

View solution in original post

ITWhisperer · ‎09-25-2020

Why rex and not spath again?

| spath input=rules ...

inventsekar · ‎09-25-2020

Hi @ITWhisperer .. i am from a sabbatical vacation and also i havent used spath. so i miss some context here.

may i know how spath can do the job of rex?(this is what my understanding from ur reply)..

ITWhisperer · ‎09-25-2020

Hi @inventsekar

spath is used for parsing and extracting fields from JSON and XML strings. In this instance, spath was used to extract the rules from _raw (which must have been JSON)

index=myindex| spath "Rules{}" output=rules |mvexpand rules

It yielded the next level down which appears to be more JSON

{"name": "abc def - 123", "result": true}

So spath could have been used to extract these fields too

| spath input=rules

gcusello · ‎09-25-2020

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

gcusello · ‎09-25-2020

Hi @surekhasplunk,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

rex help

rex

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!