Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex help

cbiraris
Path Finder
‎12-10-2024 03:32 AM

Hi Team,

I need help to created rex field for country from the sample log format as below. but country name position is not static and its getting change log by log in {}. can you help me to create regex field for country only ?

sample1

Student":{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

sample2
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"country":"IND","phoneNum":1478,"lastName":"qwe","phoneNu}

sample3
:Student":{"firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu,"country":"IND"}


so its mean, "country":"IND" anywhere in Student":{} should catch by regex

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-10-2024 09:58 AM

Handling structured data (and this looks like JSON; the question is whether it is a well-formed JSON or a JSON with headers or any other similar invention) with regex is prone to cause problems sooner or later. When a source produces structured data there is no guarantee that it will always output the fields in any particular order (that's why you use structured formats so you don't have to worry about stuff like position within a line and so on). If your event is well-formed JSON data you should be better off with KV_MODE=json - let Splunk handle parsing.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2024 05:21 AM

This looks like JSON - you might be better off using spath to parse the event.

0 Karma
Reply

cbiraris
Path Finder
‎12-10-2024 05:23 AM

Can you help with spath 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2024 08:42 AM

Please share your anonymised raw event in a code block (using the </> button)

0 Karma
Reply

alizarei
Loves-to-Learn
‎12-10-2024 05:03 AM

hi 

The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log.
Regex:

\"country\":\": This part looks for "country":".
(?<country>[^\"]+):
(?<country>...): Creates a group named country.
[^\"]+: Matches any character other than ". This part extracts the country value.
Finally, the country value (for example, IND) is stored in a new field named country.


This structure helps extract the word country wherever it appears.

| rex field=_raw  "\"country\":\"(?<country>[^\"]+)\""

You can test with this structure in regex101

(country":"([^"]+))

Capture.PNG

0 Karma
Reply

cbiraris
Path Finder
‎12-10-2024 05:20 AM

I have a log which contain multiple countries in same format so it grabbing all other countries from  same individual log .

for example:

Student:{"country":"IND","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu} teacher:{"country":"USA","firstName":"XYZ","state":"MH","rollNum":147,"phoneNum":1478,"lastName":"qwe","phoneNu}

So if i use | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" it showing me IND and USA. but i only want country related to student. 

Also as i stated earlier position of  "country":"*" is not same for all logs. its coming between anywhere Student:{*}

0 Karma
Reply

rishabhshah
Path Finder
‎12-11-2024 04:17 AM

Try this regex -

Student.*?country\"\:\"(?<country>[\w]+)\"

rishabhshah_0-1733919417074.png

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...