topic How do i extract my field using rex; in Splunk Dev

How do i extract my field using rex;

Gaya852635 — Thu, 12 Oct 2017 13:41:49 GMT

How do i extract my field using rex;

Below is the sample log:
"{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}",

Re: How do i extract my field using rex;

jodyfsu — Thu, 12 Oct 2017 14:21:58 GMT

Which field are you trying to pull out?

Re: How do i extract my field using rex;

Gaya852635 — Tue, 29 Sep 2020 16:09:19 GMT

This is the fieldname:OP_FRM_SRC_SYS

OP_FRM_SRC_SYS="{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}",

Re: How do i extract my field using rex;

jodyfsu — Tue, 29 Sep 2020 16:09:24 GMT

I am a little confused so please help me understand. So this is in the log:
"{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}"..... right?

Which field in the log are you trying to pull out? And are you wanting it named OP_FRM_SRC_SYS.

Please let me know what I am not following.

Re: How do i extract my field using rex;

Gaya852635 — Tue, 29 Sep 2020 16:09:27 GMT

complete field "{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}"as a fieldvalue into the fieldname OP_FRM_SRC_SYS.

Re: How do i extract my field using rex;

jodyfsu — Thu, 12 Oct 2017 14:45:33 GMT

Ah, ok.. I will see if I can figure this out 🙂

Re: How do i extract my field using rex;

sbbadri — Thu, 12 Oct 2017 14:55:16 GMT

@Gaya852635

try this in props.conf

[json_embedded]
REGEX = "(\w+)"."(\S+?)"
FORMAT = $1::$2

Re: How do i extract my field using rex;

skoelpin — Thu, 12 Oct 2017 14:58:26 GMT

So you want to extract "{"xxxx":{"zzzz":"405","statusMessage":"Added","zzzzzzz":false}}", from your log and name it OP_FRM_SRC_SYS?

Can you provide . larger sample size of characters/test before and after the field you want to extract?

Re: How do i extract my field using rex;

jodyfsu — Tue, 29 Sep 2020 16:09:32 GMT

Here is what I came up with:
| rex (^{{1}"{1}(?\w{4})"{1}:{1}{{1}"{1}(?\w{4})"{1}:{1}"{1}(?\d{3})"{1},{1}"{1}(?\w*)"{1}:{1}"{1}(?\w*)"{1},{1}"{1}(?\w*)"{1}:{1}(?\w*)}{2})

Re: How do i extract my field using rex;

jodyfsu — Tue, 29 Sep 2020 16:09:41 GMT

Looks like some was escaped out:
"| rex (^{{1}"{1}(?\w{4})"{1}:{1}{{1}"{1}(?\w{4})"{1}:{1}"{1}(?\d{3})"{1},{1}"{1}(?\w*)"{1}:{1}"{1}(?\w*)"{1},{1}"{1}(?\w*)"{1}:{1}(?\w*)}{2})"

Re: How do i extract my field using rex;

jodyfsu — Tue, 29 Sep 2020 16:09:44 GMT

my named capture groups keep getting dropped when I post.
| rex (^{{1}"{1}(?named capture group\w{4})"{1}:{1}{{1}"{1}(?named capture group\w{4})"{1}:{1}"{1}(?named capture group\d{3})"{1},{1}"{1}(?named capture group\w*)"{1}:{1}"{1}(?named capture group\w*)"{1},{1}"{1}(?named capture group\w*)"{1}:{1}(?named capture group\w*)}{2}

Re: How do i extract my field using rex;

skoelpin — Thu, 12 Oct 2017 15:23:58 GMT

This doesn't capture anything and also seems overkill.. I would suggest adding sample data before and after that you want to extract and one of us will give you a much cleaner regex

Re: How do i extract my field using rex;

jodyfsu — Thu, 12 Oct 2017 15:31:02 GMT

"| rex (^{{1}"{1}(?<f1>\w{4})"{1}:{1}{{1}"{1}(?<f2>\w{4})"{1}:{1}"{1}(?<f3>\d{3})"{1},{1}"{1}(?<f4>\w*)"{1}:{1}"{1}(?<f5>\w*)"{1},{1}"{1}(?<f6>\w*)"{1}:{1}(?<f7>\w*)}{2})"

Re: How do i extract my field using rex;

DalJeanis — Thu, 12 Oct 2017 15:33:31 GMT

@jodyfsu - you can mark your code using any of three strategies, to avoid html-like items being stripped out or interpreted as formatting.

1) For any amount of text, highlight the text and press the "mark code" button (101 010). that button works better for me on Chrome.

2) For lots of code text, put at least four spaces in front of the first non-whitespace character on each line. Make sure there is at least one completely empty line before the first code line.

3) For small pieces of code, use backticks (also called grave accents) before and after the code. That character () is found under the tilde~to the left of the1` on an American keyboard.

Re: How do i extract my field using rex;

jodyfsu — Thu, 12 Oct 2017 15:47:41 GMT

Thank you.