Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

rex help

surekhasplunk
Communicator
‎09-25-2020 03:15 AM

Hello,

index=myindex| spath "Rules{}" output=rules |mvexpand rules
 | table device ip rules

Now my rules has data like below:

rules

{"name": "abc def - 123", "result": true}

i want to now make it into two columns rule_name and rule_result

can you please help me with the regex. 

 

 

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 03:44 AM

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2020 04:15 AM

Why rex and not spath again?

| spath input=rules ...
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-25-2020 05:08 AM

Hi @ITWhisperer .. i am from a sabbatical vacation and also i havent used spath. so i miss some context here. 

may i know how spath can do the job of rex?(this is what my understanding from ur reply)..

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2020 05:23 AM

Hi @inventsekar 

spath is used for parsing and extracting fields from JSON and XML strings. In this instance, spath was used to extract the rules from _raw (which must have been JSON)

index=myindex| spath "Rules{}" output=rules |mvexpand rules

  It yielded the next level down which appears to be more JSON

{"name": "abc def - 123", "result": true}

 So spath could have been used to extract these fields too

| spath input=rules
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 03:44 AM

Hi @surekhasplunk,

please try this regex:

| rex "\"name\":\s+\"(?<name>[^\"]+)\",\s+\"result\":\s+(?<result>\w+)"

that you can test at https://regex101.com/r/3DyKHn/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2020 05:01 AM

Hi @surekhasplunk,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...