Please help me with rex
i have key and value in json format
{"context":{
"sessionID":"1234567890",
"eventSeverity":"Debug",
"msgType":"REQUEST",
"appID":"someServices",
"eventID":"START","msgPayload":{"inboundMsg":{"msgContentType":"{"idtypes":["ABCDE","ABC"],"userName":"someName"}"}}}}
how to retrive fields out of it.
Try like this. The rex-sed command is requires as your data seems to have extra double quotes making it not pure json.
your current search which includes field _raw | rex mode=sed "s/\"{/{/g" | spath
Is this _raw or a field?
Yes,this is _raw field
Which value do you want to extract?
sessionID,eventSeverity,msgType,appID,eventID,msgPayload,inboundMsg,msgContentType,idtypes,userName
I'd recommend kv_mode=json
But if you want to see how it's done then here ya go
... | rex sessionID\"\:\"(?<SessionID>\d+)
... | rex eventSeverity\"\:\"(?<EventSeverity>\w+)
... | rex msgType\"\:\"(?<msgType>\w+)
... | rex appID\"\:\"(?<AppID>\w+)
... | rex eventID\"\:\"(?<EventID>\w+)
"idtypes":["ABCDE","XYZ"]
how to write for this
what do you want to extract? ABCDE or XYZ, or the whole string ABCDE,XYZ?
["ABCDE","XYZ"]
entire this value
Here ya go. If this answered your question, can you please accept it?
idtypes":\["(?<Name1>\w+)"\,"(?<Name2>\w+)
try this:
"idtypes":(?<idtypes>\S+)[,]
if you can add
KV_MODE = json
to your props.conf for this sourcetype it's going to save you a lot of trouble (extraction will be automatic).
rex is most useful when automatic extraction fails; try the builtin functionality first.
more details available here:
https://answers.splunk.com/answers/124406/extracting-fields-from-json-file-format.html
I need during search time.
understood. If this is something you're going to do on an ongoing basis, it's still a very good idea to get this stuff indexed in a usable manner instead of relying on searchtime hacks. If it's a one-off, carry on 🙂