Here is the message in splunk and I am trying to extract customer and channel
{"line":"2020-04-03T12:24:54.589Z LCS {\"customer\":5,\"channel\":\"sqs\",\"notificationId\":213546}
When I run something like this
index=docker "Exception" | rex "CustomerID: (?<customer>\S+)," | rex "channelName\\\\\":\\\\\"(?<channel>\w+)" | stats count(notificationId) by CustomerID
I am able to see the CustomerID extracted
but when I do
index=docker "Exception" | rex "CustomerID: (?<customer>\S+)," | rex "channelName\\\\\":\\\\\"(?<channel>\w+)" | stats count(notificationId) by CustomerID, channelName
It is not displaying any results which tells me I am not extracting the channelName correctly. How can I fix this ?
... View more