Hi All, I'm trying to extract 2 fields from _raw but seems to be a bit of struggle I want to extract ERRTEXT and MSGXML, have tried using the option of extraction from Splunk and below are the re...
See more...
Hi All, I'm trying to extract 2 fields from _raw but seems to be a bit of struggle I want to extract ERRTEXT and MSGXML, have tried using the option of extraction from Splunk and below are the rex I got, The issue with the below rex for ERRTEXT is that it pulls all the MSGXML content as well. If there could be regex to extract something after ERRTEXT and MSGXML it would be great | rex field=_raw "^(?:[^=\n]*=){7}(?P<ERRTEXT>.+)"
| rex field=_raw "^(?:[^=\n]*=){8}(?P<MSGXML>.+)" Sample of the data that has been ingested in Splunk, this is data is from Splunk DB connect that is getting pushed over to Splunk 2021-12-09 09:56:00.998, FACILITY_DETAILS="/v1/facilities/XXXX/arrears", FACILITY_ID="101010/", TIMESTAMP="2021-12-09 03:41:06.768342", CORRELATION="414d51204d425032514d30322020xxxda4b", ORIGIN="FROMORIGIIN", ERRCODE="code":"400",", ERRTEXT="detail":"must be greater than the previously recorded value of 105 days","source":{"pointer":"/data/days_past_due"}}]}", MSGXML="{"errors":[{"id":"3a59de59-8b99-4e4a-abfb-XXXXXX","status":"400","code":"400","title":"days_past_due is invalid","detail":"must be greater than the previously recorded value of 105 days","source":{"pointer":"/data/days_past_due"}}]}" 2021-12-09 09:56:00.998, FACILITY_DETAILS="/v1/facilities/XXXX/arrears", FACILITY_ID="101010/", TIMESTAMP="2021-12-09 03:41:06.768342", CORRELATION="414d51204d425032514d30322020xxxda4b", ORIGIN="FROMORIGIIN", ERRCODE="code":"400",", ERRTEXT="detail":"must be greater than the previously recorded value of 105 days","source":{"pointer":"/data/days_past_due"}}]}", MSGXML="{"errors":[{"id":"3a59de59-8b99-4e4a-abfb-XXXXXX","status":"400","code":"400","title":"days_past_due is invalid","detail":"must be greater than the previously recorded value of 105 days","source":{"pointer":"/data/days_past_due"}}]}"