https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610772#M11601 <P>Hi gcusello,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;It is working and thanks for introducing new command as well to me..I will try to check documentation for spath command.<BR /><BR />Appreciate you for quick response</P> Thu, 25 Aug 2022 04:11:00 GMT vineela 2022-08-25T04:11:00Z https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610646#M11599 <P>I need to write regular expression to extract few fields in this, but not able to figure this out. Can you please help me on the same.</P> <DIV class=""><SPAN class="">X-Response-Timestamp:</SPAN> <SPAN class="">2022-08-24T07:27:26.150Z</SPAN> <SPAN class="">x-amzn-Remapped-Connection:</SPAN> <SPAN class="">close</SPAN> <SPAN class="">...</SPAN> <SPAN class="">4</SPAN> <SPAN class="">lines</SPAN> <SPAN class="">omitted</SPAN> <SPAN class="">...</SPAN> <SPAN class="">X-Amzn-Trace-Id:</SPAN> <SPAN class="">Root=1-6305d2de-69ec840431ff21182b4a9f68</SPAN> <SPAN class="">Content-Type:</SPAN> <SPAN class="">application/json</SPAN> {"<SPAN class="">code</SPAN>"<SPAN class="">:</SPAN>"APS<SPAN class=""><SPAN class="">.MPI.20</SPAN>19</SPAN>","<SPAN class="">severity</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">FATL</SPAN>","<SPAN class="">text</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">Invalid</SPAN> <SPAN class="">Request</SPAN>","<SPAN class="">user_message</SPAN>"<SPAN class="">:</SPAN>"<SPAN class="">Request</SPAN> <SPAN class="">id</SPAN> <SPAN class="">has</SPAN> <SPAN class="">already</SPAN>&nbsp;used<SPAN class="">.</SPAN>"}</DIV> <P><BR />Above is the whole log. I need to extract code,severity and message. I cant able t understand the format and fetch.</P> Wed, 24 Aug 2022 14:35:18 GMT https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610646#M11599 vineela 2022-08-24T14:35:18Z https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610647#M11600 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234209">@vineela</a>,</P><P>this seems to be a Json log, so you could try to use the spath command (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath)" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath)</A>.</P><P>If anyway you want to use a regex, you could try something like this:</P><LI-CODE lang="markup">| rex "\"code\":\"(?&lt;code&gt;[^\"]+)\",\"severity\":\"(?&lt;severity&gt;[^\"]+)\".*\"user_message\":\"(?&lt;user_message&gt;[^\"]+)\""</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/8Ggre7/1" target="_blank">https://regex101.com/r/8Ggre7/1</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 24 Aug 2022 09:34:17 GMT https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610647#M11600 gcusello 2022-08-24T09:34:17Z https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610772#M11601 <P>Hi gcusello,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;It is working and thanks for introducing new command as well to me..I will try to check documentation for spath command.<BR /><BR />Appreciate you for quick response</P> Thu, 25 Aug 2022 04:11:00 GMT https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610772#M11601 vineela 2022-08-25T04:11:00Z https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610782#M11602 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234209">@vineela</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 25 Aug 2022 07:12:44 GMT https://community.splunk.com/t5/Reporting/Help-with-regular-expression-to-extract-fields/m-p/610782#M11602 gcusello 2022-08-25T07:12:44Z