Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex help

cbiraris
Path Finder
‎12-10-2024 03:32 AM

Hi Team,

I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ?

sample1

Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

sample2
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu}

sample3
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"}


so its mean, "country":"IND" anywhere in Student":{} should catch by regex

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-10-2024 09:58 AM

Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2024 05:21 AM

This looks like JSON - you might be better off using spath to parse the event.

0 Karma
Reply

cbiraris
Path Finder
‎12-10-2024 05:23 AM

Can you help with spath 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2024 08:42 AM

Please share your anonymised raw event in a code block (using the </> button)

0 Karma
Reply

alizarei
Loves-to-Learn
‎12-10-2024 05:03 AM

hi 

The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log.
Regex:

\"country\":\": This part looks for "country":".
(?<country>[^\"]+):
(?<country>...): Creates a group named country.
[^\"]+: Matches any character other than ". This part extracts the country value.
Finally, the country value (for example, IND) is stored in a new field named country.


This structure helps extract the word country wherever it appears.

| rex field=_raw  "\"country\":\"(?<country>[^\"]+)\""

You can test with this structure in regex101

(country":"([^"]+))

Capture.PNG

0 Karma
Reply

cbiraris
Path Finder
‎12-10-2024 05:20 AM

I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log .

for example:

Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

So if i use | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student. 

Also as i stated earlier position of  "country":"*" is not same for all logs. its coming between anywhere Student:{*}

0 Karma
Reply

rishabhshah
Path Finder
‎12-11-2024 04:17 AM

Try this regex -

Student.*?country\"\:\"(?<country>[\w]+)\"

rishabhshah_0-1733919417074.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top