Hi,
I have a search where I am attempting to extracting 2 different fields from one string response using "rex":
1st Field: rex \"traceId\"\s:\s\"?(?<traceId>.*?)\"
2nd Field: rex "\"sta...
See more...
Hi,
I have a search where I am attempting to extracting 2 different fields from one string response using "rex":
1st Field: rex \"traceId\"\s:\s\"?(?<traceId>.*?)\"
2nd Field: rex "\"statusCode\"\s:\s\"?(?<tstatusCode>2\d{2}|4\d{2}|5\d{2})\"?"
I am attempting to "dedup" the 1st field (traceId) before I pipe those results into the 2nd field (statusCode). I have attempted multiple variation based on Splunk threads and other internet resources. Below is the query I am making:
index=myCoolIndex cluster_name="myCoolCluster" sourcetype=myCoolSourceType label_app=myCoolApp ("\"statusCode\"") | rex \"traceId\"\s:\s\"?(?<traceId>.*?)\" | dedup traceId | rex "\"statusCode\"\s:\s\"?(?<tstatusCode>2\d{2}|4\d{2}|5\d{2})\"?"
//I have tried a lot of other permutations this is just one
Below is the response from the log (looks like JSON but it is string type):
\\Sample Log (Looks like JSON object, but its a string):
"{
"correlationId" : "",
"message" : "",
"tracePoint" : "",
"priority" : "",
"category" : "",
"elapsed" : 0,
"locationInfo" : {
"lineInFile" : "",
"component" : "",
"fileName" : "",
"rootContainer" : ""
},
"timestamp" : "",
"content" : {
"message" : "",
"originalError" : {
"statusCode" : "200",
"errorPayload" : {
"error" : ""
}
},
"standardizedError" : {
"statusCode" : "500",
"errorPayload" : {
"errors" : [ {
"error" : {
"traceId" : "9539510-d8771da0-a7ce-11ed-921c-d6a73926c0ac",
"errorCode" : "",
"errorDescription" : ""
"errorDetails" : ""
}
} ]
}
}
},
}"
The intent of the query is to:
Extract field "traceId", then "dedup" "traceId" (to remove duplicates), then extract field "statusCode" and sort "statusCode" values.
When running these regEx's independently of eachother they work as expected, but I need to combine them into one query as I will be creating charts on my next step..... All help is appreciated.