Hi,
I am using a regex to search for a field "statusCode" which could have multiple values, i.e. "200", "400", "500", etc.... I am attempting to create an Interesting Field "statusCode" and have it sorted by different statusCode values.
I am trying to do perform a search using the following:
\\Sample Query
index=myCoolIndex cluster_name="myCoolCluster" sourcetype=myCoolSourceType label_app=myCoolAppName ("\"statusCode\"") | rex field=_raw \"statusCode\"\s:\s\"?(?<statusCode>2\d{2}|4\d{2}|5\d{2})\"?
\\Sample Log (Looks like JSON object, but its a string):
"{
"correlationId" : "",
"message" : "",
"tracePoint" : "",
"priority" : "",
"category" : "",
"elapsed" : 0,
"locationInfo" : {
"lineInFile" : "",
"component" : "",
"fileName" : "",
"rootContainer" : ""
},
"timestamp" : "",
"content" : {
"message" : "",
"originalError" : {
"statusCode" : "200",
"errorPayload" : {
"error" : ""
}
},
"standardizedError" : {
"statusCode" : "400",
"errorPayload" : {
"errors" : [ {
"error" : {
"traceId" : "",
"errorCode" : "",
"errorDescription" : "",
"errorDetails" : ""
}
} ]
}
},
"standardizedError" : {
"statusCode" : "500",
"errorPayload" : {
"errors" : [ {
"error" : {
"traceId" : "",
"errorCode" : "",
"errorDescription" : ""
"errorDetails" : ""
}
} ]
}
}
},
}"
Using online regex tools and a sample output of a log I have confirmed the regEx works outside of a Splunk query. I have also gone through numerous Splunk community threads where I have tried different permutations based on suggestions with no luck. Any help would be appreciated.
... View more