Splunk Search

How to choose only some values extracted from rex command

guillecasco
Path Finder

Hey, i have this rex command which extract me some fields as json data from a lot of logs

| rex field=summary "BODY: (?\{.*)"

logs

BODY: {"shared": {"System.ProcessorName": "Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz", "System.Manufacturer": "GIGABYTE",  "Graphics.PCReleaseMajor": "15",  "OS.Arch": "64",, "a_data": [{"version": "9.1.4", "id": "7c965dd7-28f6-4e79-8a9c-a5d85425c371"}, {"version": "25678", "id": "8c177884-6479-48ec-8634-1243bd9c9206"}]}

so in the interesting fields i have (among others): shared.system.processorname, shared.system.manufacturer.....and so on.
Thing is that in a_data.version i have 2 types of version in logs but that are named the same (a_data.version). How can i choose/select only the second one? a. i need to only have: a_data.version: 25678 and not a_data.version: 9.1.4

is there a way to do this or not? when i'm doing stats count by version i get all versions, but only need last version and not the first one. is there a way to "name" them differently or something like that?

this is the search.

index: foo | rex field=summary "BODY: (?\{.*)" | spath input=json_data |  stats count by adata{}.version | sort -count

Thanks!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

There seems to be an extra comma in the data you posted, so that nothing extracts after OS.Arch.

| makeresults 
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\",, \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data

Test data with extra comma removed

| makeresults count=2
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\", \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data
| rename shared.a_data{}.version as version, shared.a_data{}.id as id 
| eval version = mvindex(version,-1) 
| eval id = mvindex(id,-1) 
| stats count by version

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

There seems to be an extra comma in the data you posted, so that nothing extracts after OS.Arch.

| makeresults 
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\",, \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data

Test data with extra comma removed

| makeresults count=2
| eval summary="BODY: {\"shared\": {\"System.ProcessorName\": \"Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz\", \"System.Manufacturer\": \"GIGABYTE\", \"Graphics.PCReleaseMajor\": \"15\", \"OS.Arch\": \"64\", \"a_data\": [{\"version\": \"9.1.4\", \"id\": \"7c965dd7-28f6-4e79-8a9c-a5d85425c371\"}, {\"version\": \"25678\", \"id\": \"8c177884-6479-48ec-8634-1243bd9c9206\"}]}" 
| rex field=summary "BODY: (?<json_data>.*)"  
| spath input=json_data
| rename shared.a_data{}.version as version, shared.a_data{}.id as id 
| eval version = mvindex(version,-1) 
| eval id = mvindex(id,-1) 
| stats count by version

guillecasco
Path Finder

awesome! that worked

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Great! Glad to help.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this (check the rex command as it was truncated in ques)

index: foo | rex field=summary "BODY: (?{.*)" | spath input=json_data | eval version=mvindex('adata{}.version',-1) | stats count by version | sort -count
0 Karma

guillecasco
Path Finder

getting this error with that command which i think would work. the -1 only takes last value doesn´t it?

"Error in 'eval' command: Arguments are missing. Usage: eval dest_key = expression"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

the field name was omitted by the web interface from somesoni2's code

rex field=summary "BODY: (?<json_data>{.*)" 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi guillecasco,
there are many things that you could to do:

  • format your rex as you prefer (e.g.: \d+);
  • if you have numbers choose the highest between them;
  • put a second filter in your search

Bye.
Giuseppe

0 Karma

guillecasco
Path Finder

how would it be a second filter. If i put another filter i will still apply to version either the first or the second one.
also, what do you mean with "if you have numbers choose the highest between them; "

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...