topic How to extract field between double quotes using rex? in Splunk Enterprise

How to extract field between double quotes using rex?

sureshkumaar — Tue, 21 Mar 2023 16:56:19 GMT

We have multiple lines within double quotes and to be updated in the different field names according to the name we have.

All values has to be in different field names separately which is within double quotes

the below regex is working and but picking all the values and updating in one field, i am looking for

1. where the value within first double quotes getting picked in one common field name

2. where the value within second double quotes getting picked in second common field name

3. where the value within third double quotes getting picked in third common field name

| rex "\\\"(?<JobId>[^\\\"]+)"

"17449551"

"pmqcd1p3"

"SAP for Oracle"

"PMQ"

"N/A"

"default"

"(Logcommand line)"

Re: Extract field between double quotes using rex

ITWhisperer — Tue, 21 Mar 2023 12:18:24 GMT

Please share your complete raw event in a code block </> so that formatting is not compromised.

Re: Extract field between double quotes using rex

sureshkumaar — Tue, 21 Mar 2023 12:55:06 GMT

Hi @ITWhisperer

This is the raw event coming from a CSV file

The values which ever coming in double quotes has to be separated and get updated in unique field names
Even if there are empty within the double quotes it shouldn't skip
Some times characters are lengthy which shouldn't get updated in another field

"17449551","pmqcd1p3","SAP for Oracle","PMQ","N/A","default","(Logcommand line)","Backup 3RD","Full(Log)","Mar 20, 2023","Mar 20, 2023, 10:21:16 AM","20","","0","Failed","CVLT","Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd","","","Mar 20, 2023, 10:41:49 AM"

Re: Extract field between double quotes using rex

ITWhisperer — Tue, 21 Mar 2023 13:02:57 GMT

Assuming all your field values are in double quotes, even the numerics, and that you have no embedded / escaped double quotes, you can do something like this

| rex max_match=0 "(?<field>\"[^\"]*\")" | eval field1=mvindex(field,0) | eval field2=mvindex(field,1)

Note, mvindex indexes start at zero - obviously you can name the fields how you like, not necessarily "field1", "field2", etc.

Re: Extract field between double quotes using rex

sureshkumaar — Tue, 21 Mar 2023 13:22:09 GMT

My issue here is actually,

the below line is actually has to be covered under a field called "Failure Reason" and when i am giving the below mvindex command it's working fine

but not all the failure reason occupy in 2 mvindex values, some are occupying in 1 and some are occupying more than 1 (2 OR 3 OR 4)

| eval "Failure Reason"=mvindex(_raw,19,20)

"Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd"

and another issue here is if we have 2 empty values, and when i am giving the below mvindex it's picking the value which is supposed to get update in the 23rd mvindex (i.e. data time stamp getting updated) instead of staying blank

| eval "Failure Reason"=mvindex(_raw,21)

"Mar 20, 2023, 10:41:49 AM"

Re: Extract field between double quotes using rex

ITWhisperer — Tue, 21 Mar 2023 13:29:30 GMT

Please show your complete SPL and the raw event which is giving you problems