sample log:
{"date" : "2021-01-01 00:00:00.123 | dharam=fttc-pb-12312-esse-4 | appLevel=INRO | appName=REME_CASHE_ATTEMPT_PPI | env=sit | hostName=apphost000adc | pointer=ICFD | applidName=http.ab.web.com|news= | list=OUT_GOING | team=norpass | Category=success | status=NEW | timeframe=20", "tags": {"host": "apphost000adc" , "example": "6788376378jhjgjhdh2h3jhj2", "region": null, "resource": "add-njdf-tydfth-asd-1"}}
used below regex to extract all fields , but one field is not getting extracted, that is timeframe
|regex _raw= (\w+)\=(.+?) \|
how to modify my regex to extract timeframe field as well.
Hi,
regex _raw is here the wrong command…
regex - Splunk Documentation
but rex seems wrong too
because it can't do a key value extraction in search.
I found an odd way tho handle this:
| spath | rename _raw AS temp date AS _raw | extract pairdelim="|" kvdelim="=" | rename _raw as date temp as _raw
reference: extract - Splunk Documentation
Is this what you are searching for?
Kind Regards
The timeframe field is not terminated by a pipe, like the other fields, so the regex doesn't match. Try this:
| rex "(\w+)=([^\|\"]+)"
thanks it worked
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.