topic Re: How can I extract this field using REGEX (rex)? in Splunk Search

How can I extract this field using REGEX (rex)?

sarathipattam — Mon, 04 Jun 2018 21:10:18 GMT

Hi,

I have the below raw, I would like to extract MaximumBatchQuantity value, which is 20. Can someone help me with REGEX, please?

{"bdy":{"msg":"HttpRequest","addInfo":[{"key":"Url","value":"https://isp0064x.st.ad.XXXXX.com/XXXXXOmniFulfillmentServerApp/api/Assignment/Auto/"},{"key":"Content","value":"{\"Filters\":[],\"**MaximumBatchQuantity**\":**20**,\"AllowedSLAMilliSeconds\":4500,\"AssociateFirstName\":\"Aliona\",\"AssociateId\":\"2795969\",\"AssociateLastName\":\"Cieniawa\",\"Header\":{\"ApiVersion\":null,\"AppVersion\":\"18.3.0.15617\",\"JsonWebToken\":null,\"MessageId\":\"de959d4f-6a7d-4c0c-98d3-1143064b4300\"},\"IsOffline\":false,\"SLARequestKey\":\"AutoBatch\",\"StoreNumber\":\"0064\"}"},{"key":"CorrelationId","value":""},{"key":"MessageId","value":"3a04038d-64e2-493c-b489-90a922de1980"}]},"hdr":{"level":"Verbose","timestamp":"2018-06-04T21:03:19.6347626Z","fxsrc":"LogRequestInfo","lineNum":710,"userId":"2795969","loc":"Store","locId":"0064","ip":"10.224.255.15","hostName":"K-W10ME-7463352","macaddress":"00-16-XX-16-A6-FA","eventid":0,"appVersion":"18.3.0.15617","appName":"OmniFulfillment","deviceModel":"XX500","osVersion":"10.0.14393.2007","firmwareVersion":"1049.7.18039.0","networkSignalStrength":"4","isConnected":"True"},"ver":"0.1"}

Re: How can I extract this field using REGEX (rex)?

somesoni2 — Mon, 04 Jun 2018 21:28:33 GMT

Assuming those asterisk in the field name and value of MaximumBatchQuantity is added by you trying to highlight/bold it, give following regex a try

MaximumBatchQuantity[^:]+:(?<MaximumBatchQuantity>[^,]+)

See it working with your sample data

https://regex101.com/r/URJNJH/1

Re: How can I extract this field using REGEX (rex)?

martin_mueller — Mon, 04 Jun 2018 21:30:08 GMT

I heard you liked JSON, so I put some JSON in your JSON? Eww.

... | rex "\\\"MaximumBatchQuantity\\\"\s*:\s*\"?(?<MaximumBatchQuantity>\d+)"

Re: How can I extract this field using REGEX (rex)?

sarathipattam — Tue, 29 Sep 2020 19:46:10 GMT

Thanks for the response, I'm getting below error,

Error in 'SearchParser': Missing a search command before '^'. Error at position '522' of search query 'search index=kohls_prod_stores_servers sourcetype=...{snipped} {errorcontext = hQuantity[^:]+:(?

Re: How can I extract this field using REGEX (rex)?

sarathipattam — Mon, 04 Jun 2018 22:12:55 GMT

Thanks for the response, this is giving me null value

Re: How can I extract this field using REGEX (rex)?

somesoni2 — Mon, 04 Jun 2018 22:16:37 GMT

What's the search you're using? I just gave you the regex portion, you'd need to add other search parts.

Re: How can I extract this field using REGEX (rex)?

sarathipattam — Mon, 04 Jun 2018 22:16:48 GMT

I used this way

| rex field=_raw MaximumBatchQuantity[^:]+:(?[^,]+)

Re: How can I extract this field using REGEX (rex)?

martin_mueller — Mon, 04 Jun 2018 22:34:30 GMT

put quotes around the expression