Using regex to extract summary

bigll · ‎04-29-2024

in raw data I have portion that I would like to use in report.

"changes":{"description":{"before":"<some text or empty>","after":"<some text or empty>"}}

I created

rex summary= "changes":\{"description":\{"before":"<some text or empty>","after":"<some text or empty>"\}\})"

But it doesn't work.

Please advise

gcusello · ‎04-29-2024

Hi @bigll ,

as @ITWhisperer said, this seems to be a json format so the INDEXED_ENTRACTION = json option in props.conf or the spath command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath) is the easiest solution to your requirement.

Then the rex command has a different format to extract fields: the fied definition must be located inside the rex definition, as the following example using your data:

| rex "before\":\"(?<summary_before>[^\"]+)\".\"after\":\"(?<summary_after>[^\"]+)"

You can see how to extract and test your regex at https://regex101.com/r/22aHz1/1

Ciao.

Giuseppe

ITWhisperer · ‎04-29-2024

This is not how rex works - you need to provide a pattern as a regular expression to identify what you want to extract. For example, do you want everything from "change" to "}}"? Does this pattern hold true for all your event where you want to extract this field?

Aside from that, this looks like json - why aren't you using spath or the other json functions to extract the json field?

bigll · ‎04-30-2024

Thank you for your message.

You are correct, I need everything between {} as a value of the field I can include in the table.

ITWhisperer · ‎04-30-2024

Try this

| rex "\"changes\":(?<changes>\{.*?\}\})"

Using regex to extract summary

regex

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024