https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411805#M118757 <P>If there is more data after page: then use this:</P> <PRE><CODE>"action":"(?&lt;test&gt;\w+|.+)" </CODE></PRE> <P>This will grab everything inside the quotes</P> Wed, 27 Jun 2018 22:32:25 GMT hos_2 2018-06-27T22:32:25Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411801#M118753 <P>I have the raw data below. How do I get the strings after the "action": and put all the results into a new field? </P> <PRE><CODE>{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"} {"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"} {"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"} {"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"} </CODE></PRE> Wed, 27 Jun 2018 21:20:54 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411801#M118753 dwong2 2018-06-27T21:20:54Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411802#M118754 <P>Hi dwong2,</P> <P>Try it in <A href="https://regex101.com/">https://regex101.com/</A></P> <PRE><CODE>"action":"(?&lt;test&gt;\w+|.+)" </CODE></PRE> <P>Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".</P> Wed, 27 Jun 2018 21:58:29 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411802#M118754 hos_2 2018-06-27T21:58:29Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411803#M118755 <P>Did you miss a quote after <CODE>"page:</CODE>?<BR /> Can you show what's after <CODE>page:</CODE>? can action have multiple values separated by <CODE>:</CODE>?</P> Wed, 27 Jun 2018 22:06:52 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411803#M118755 amiftah 2018-06-27T22:06:52Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411804#M118756 <P>Is there a way to convert the <CODE>:</CODE> to <CODE>=</CODE> in the log file?</P> Wed, 27 Jun 2018 22:27:13 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411804#M118756 ddrillic 2018-06-27T22:27:13Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411805#M118757 <P>If there is more data after page: then use this:</P> <PRE><CODE>"action":"(?&lt;test&gt;\w+|.+)" </CODE></PRE> <P>This will grab everything inside the quotes</P> Wed, 27 Jun 2018 22:32:25 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411805#M118757 hos_2 2018-06-27T22:32:25Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411806#M118758 <P>If i wanted to search for this instead "action":"page: ?</P> Wed, 27 Jun 2018 22:43:19 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411806#M118758 dwong2 2018-06-27T22:43:19Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411807#M118759 <P>@ddrillic you can use the sed command to replace <CODE>:</CODE> by <CODE>=</CODE> :<BR /> <CODE>| rex field=_raw mode=sed "s/:/=/g"</CODE></P> Thu, 28 Jun 2018 01:28:53 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411807#M118759 amiftah 2018-06-28T01:28:53Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411808#M118760 <P>So, great, we can replace the <CODE>:</CODE> with <CODE>=</CODE> and then the fields should be automatically detected. </P> Thu, 28 Jun 2018 13:56:21 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411808#M118760 ddrillic 2018-06-28T13:56:21Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411809#M118761 <P>This will work much better and faster then my previous regex.</P> Thu, 28 Jun 2018 17:00:31 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411809#M118761 hos_2 2018-06-28T17:00:31Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411810#M118762 <P>Add this to your search</P> <PRE><CODE>index=my index |rex field=source "\"action\":\"(?&lt;action&gt;[^\"]+)" | </CODE></PRE> <P>If you don't want to get the action=Exit let me know </P> Fri, 20 Jul 2018 17:43:58 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411810#M118762 j_cabanillas 2018-07-20T17:43:58Z https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411811#M118763 <P>you can do the same for other fields constants like dateTime ID account </P> Fri, 20 Jul 2018 17:46:28 GMT https://community.splunk.com/t5/Splunk-Search/Would-you-create-rex-or-regex-to-extract-a-string-and-create-a/m-p/411811#M118763 j_cabanillas 2018-07-20T17:46:28Z