I have a splunk log in the below format:
{"Apple":
{"message":"abcdefgh.ijkl","code":"200"}
}
I want to filter the message "abcdefgh.ijkl" and code separately.
Asked
Active
Viewed 452 times
0
-
So, what have You tried so far? – Kamiccolo Mar 20 '19 at 14:46
-
rex field = message_text "{(\w+)*:(\w+)*:(?
(.*)\s)" – Sateesh M Mar 20 '19 at 14:49 -
Would You be so kind and update Your question in reproducible and verifiable manner. Just like [MCVE](https://stackoverflow.com/help/mcve) describes. – Kamiccolo Mar 20 '19 at 14:52
-
in the log that I said in question will come as message_text: {} – Sateesh M Mar 20 '19 at 14:52
-
this is how i get the log. message_text: {"data": {"message":"I'm a Developer.Lives in Hyderabad","code":"200"} } – Sateesh M Mar 20 '19 at 14:53
1 Answers
0
Try this rex command in your query.
... | rex "message\":\"(?<message>[^\"]+)\",\"code\":\"(?<code>\d+)" | ...
RichG
- 9,063
- 2
- 18
- 29