topic Re: regular expression json in Getting Data In

regular expression json

efaundez — Tue, 29 Sep 2020 20:17:54 GMT

good afternoon

I'm trying to capture a particular field, but sometimes my events come several times, and declaring the regular expression only captures a value.

Any suggestions?

\"(code_key)\"\s*:\s*\"?(?[\w\d:.-]*)\"?

{ "_id" : { [ { "network_id_key" : "99999999" } ], "avps_key" : [], "services_key" : [ { "enabled_key" : true, "avps_key" : [], "code_key" : "IM_Prepago" } ], "billing_info_key" : {}, "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" }, "realm_key" : null, "name_key" : {}, "end_date_key" : null }

{ "_id" : {[ { "network_id_key" : "99999999" } ], "services_key" : [ { "avps_key" : [], "enabled_key" : true, "code_key" : "IM_Prepago" }, { "avps_key" : null, "enabled_key" : true, "code_key" : "TDE_IM_PP" }, { "code_key" : "TDE_ROAM_DEF", "avps_key" : null, "enabled_key" : true } ], "status_key" : "ACTIVE", "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" } }

{ "_id" : { [ { "avps_key" : [], "enabled_key" : true, "code_key" : "IM_Prepago" }, { "avps_key" : null, "enabled_key" : true, "code_key" : "TDE_IM_PP" }, { "code_key" : "TDE_ROAM_DEF", "avps_key" : null, "enabled_key" : true } ], "status_key" : "ACTIVE", "start_date_key" : { "$date" : "2015-01-29T03:50:28.000-0300" } }

Re: regular expression json

cpetterborg — Fri, 06 Jul 2018 20:45:40 GMT

So you are getting ONLY the first match and not the other two, but you want all three?

And are you wanting to do this at search time (in the search string - e.g.rex, or auto field extraction), or at index time?

Also, for clarity - your regex seems to have gotten a little eaten by the formatting:

"(code_key)"\s*:\s*"?(?<code_key>[\w\d\:.-]*)"?

I also took a few backslashes out that weren't needed.

Re: regular expression json

efaundez — Fri, 06 Jul 2018 21:31:59 GMT

thanks for your reply

Splunk continues only taking into account 1 only value and the others ignore them 😞

Re: regular expression json

cpetterborg — Fri, 06 Jul 2018 22:35:19 GMT

Again - Are you wanting to do this at search time (in the search string - e.g.rex, or auto field extraction), or at index time?

Re: regular expression json

Sukisen1981 — Tue, 29 Sep 2020 20:21:50 GMT

As @ cpetterborg says

If you are trying this at search time all you need to do is add a max_match=0 after your regex, assuming your regex is giving the correct value for 1 extraction... something like `rex field=_raw "(code_key)"\s*:\s*"?(?[\w\d:.-]*?)" max_match=0. Has your rejected got corrupted while pasting here?Bsically just pipe max_match after the regex that successfully extracts the first value.