topic Re: rex extration with double quotes in Splunk Search

rex extration with double quotes

mwibowo1 — Wed, 01 Aug 2018 22:54:52 GMT

"ContactId":"12345" and i have tried rex "\"ContactId\":\"(?[0-9]*)\""
and no result..
please help.. what did i do wrong with escape char \?

Re: rex extration with double quotes

mwibowo1 — Wed, 01 Aug 2018 22:56:35 GMT

sorry - this is not working -
rex "\"ContactId\":\"(?[0-9]*)\""

Re: rex extration with double quotes

mwibowo1 — Wed, 01 Aug 2018 22:59:49 GMT

rex "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\""

Re: rex extration with double quotes

cpetterborg — Wed, 01 Aug 2018 23:26:47 GMT

This looks mostly fine. I'd put the last - in the square brackets at the front of the list, though:

... | rex "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""

Otherwise it seems fine. Do you also need to specify the field in this case? Sometimes that is needed to get it to work properly. There is just barely enough information about your problem to go on. This is a run-anywhere search that shows that it should work:

| makeresults 
| eval data="\"ContactId\":\"12345\"" 
| rex field=data "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""

Re: rex extration with double quotes

skoelpin — Thu, 02 Aug 2018 00:50:30 GMT

Are you trying to extract the numbers? If so then you can simply escape the quotes with a backslash

Try the extraction below, the field-name will be ContactId

| rex ContactId\"\:\"(?<ContactId>\d+)

Re: rex extration with double quotes

deepashri_123 — Thu, 02 Aug 2018 09:19:40 GMT

Hey@mwibowo1,

Can you try this:
rex field=_raw "\"ContactId\":\"(?P.*)\""
Let me know if this helps!!

Re: rex extration with double quotes

mwibowo1 — Thu, 02 Aug 2018 16:24:43 GMT

that is exactly what i am doing and it does not work..

Re: rex extration with double quotes

skoelpin — Thu, 02 Aug 2018 16:27:53 GMT

You said you tried this and it didn't work?? You're regex is broken and doesn't capture the values whereas the solution I posted does..

| rex "\"ContactId\":\"(?[0-9]*)\""

You're trying to extract the numbers? What doesn't work? Is it partially working? You need to add more context if you want any shot at getting this working

Re: rex extration with double quotes

mwibowo1 — Thu, 02 Aug 2018 16:36:19 GMT

sorry - not working

| rex field=_raw "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\"" | table ContactId

Re: rex extration with double quotes

mwibowo1 — Thu, 02 Aug 2018 16:40:43 GMT

sorry not working

Re: rex extration with double quotes

mwibowo1 — Thu, 02 Aug 2018 16:43:17 GMT

does not work means when i do | table ContactId and it shows empty table (I know i have the data)

Re: rex extration with double quotes

cpetterborg — Thu, 02 Aug 2018 17:04:20 GMT

Does the run-anywhere search above work on your Splunk? If it doesn't, then you have something seriously odd going on. If it does, but the single line search above doesn't work, then your data doesn't look the way you have said, because each of the options that you have been given by the various contributors here should work. Look at your data carefully and figure out why it is not the same as what you have posted here.

Re: rex extration with double quotes

pruthvikrishnap — Thu, 02 Aug 2018 17:32:33 GMT

"ContactId\":"(.*?)"