Hi all,
I am trying to extract the value for node_name (`10.205.138.245_151027113757) in this case.
My rex expression isn't working which is:
rex field=_raw "\"node_name\".*\":\"(?<field_name>.{26})\""
Here is my data:
{"cookbook_name":"007_JavaMSP_Apache_Admintool_Installation"},"initial_state":{"checksum":null,"owner":null,"group":null,"mode":null},"resource_id":"/prod/msp/checksum/007_JavaMSP_ApacheAdminTool_Installation.install_apache_admintool.checksum.current","resource_name":"/prod/msp/checksum/007_JavaMSP_ApacheAdminTool_Installation.install_apache_admintool.checksum.current","resource_result":"create","resource_type":"file","message_type":"run_resource","message_version":"0.1.0","sequence_number":11,"run":{"start_time":"2015-10-27T20:57:57Z","run_id":"e2a2c337-b8fc-4ef5-adf4-d00f64f2bcce","node_name":"10.205.138.245_151027113757",}
If you have to parse JSON using regular expressions, try this:
... | rex "\"node_name\"\s*:\s*\"(?<node_name>[^\"]+)\""
Consider using spath
for inline JSON parsing or KV_MODE=json
for configured search-time JSON parsing or INDEXED_EXTRACTIONS=json
for index-time JSON parsing.