- Published on
Splunk rex example
165 words1 min read
Assuming a log with the following format:
{
hub_name: SplunkEdgeHub-2884
level: info
message: z2m:mqtt: MQTT publish: topic 'zigbee2mqtt/Office Right', payload '{"child_lock":null,"current":0.34,"energy":144.38,"indicator_mode":null,"linkquality":112,"power":58,"power_outage_memory":null,"state":"ON","update":{"installed_version":-1,"latest_version":-1,"state":null},"voltage":239}'
}
The following will extract the topic (i.e. zigbee2mqtt/Office Right) and payload (i.e. {"child_lock":null,"current":0.34,"energy":144.38,"indicator_mode":null,"linkquality":112,"power":58,"power_outage_memory":null,"state":"ON","update":{"installed_version":-1,"latest_version":-1,"state":null},"voltage":239}) using regex:
index=edge_hub_mqtt source="edgehub/mqtt_events/zigbee2mqtt/bridge/logging"
| rex field=message ".*topic\s'(?<topic>.*?)',\spayload\s'(?<payload>.*?)'"
| spath input=payload
| table topic, payload, power, battery