Re: rex help

cbiraris · ‎12-10-2024

Hi Team,

I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ?

sample1

Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

sample2
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu}

sample3
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"}

so its mean, "country":"IND" anywhere in Student":{} should catch by regex

PickleRick · ‎12-10-2024

Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.

ITWhisperer · ‎12-10-2024

This looks like JSON - you might be better off using spath to parse the event.

cbiraris · ‎12-10-2024

Can you help with spath

ITWhisperer · ‎12-10-2024

Please share your anonymised raw event in a code block (using the </> button)

alizarei · ‎12-10-2024

hi

The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log.
Regex:

\"country\":\": This part looks for "country":".
(?<country>[^\"]+):
(?<country>...): Creates a group named country.
[^\"]+: Matches any character other than ". This part extracts the country value.
Finally, the country value (for example, IND) is stored in a new field named country.

This structure helps extract the word country wherever it appears.

| rex field=_raw "\"country\":\"(?<country>[^\"]+)\""

You can test with this structure in regex101

(country":"([^"]+))

cbiraris · ‎12-10-2024

I have a log which contain multiple countries in same format so it grabbing all other countries from same individual log .

for example:

Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

So if i use | rex field=_raw "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student.

Also as i stated earlier position of "country":"*" is not same for all logs. its coming between anywhere Student:{*}

rishabhshah · ‎12-11-2024

Try this regex -

Student.*?country\"\:\"(?<country>[\w]+)\"

rex help

rex

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Are you a member of the Splunk Community?

rex help

rex

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2