topic Re: Extract field that might be surrounded by quotes in Splunk Search

Extract field that might be surrounded by quotes

aohls — Tue, 27 Aug 2019 14:09:41 GMT

I am working to extract a field that at times is surrounded by quotes. This means I have either; operation or "operation". I have attempted the following:
Log Example:
operation="status"
operation=status

operation="?(?P<operation>"?[^\,]+),

Doing this does is close but on the fields with quotes, the closing quote is included which I did not want. My thought is to just do two extractions with the same name which is not ideal for me. I am extracting until a comma, which is either after the end of the string or after the closing quote.

Edit: I do not want to do anything at search time, I want the values to be correct for other users with limited knowledge.

Re: Extract field that might be surrounded by quotes

Sukisen1981 — Tue, 27 Aug 2019 14:18:11 GMT

you can just try a replace after the operation is extracted
| eval operation=replace(operation,"\"","")

Re: Extract field that might be surrounded by quotes

gcusello — Tue, 27 Aug 2019 14:20:19 GMT

Hi aohls,
could you share an example of your logs?
Anyway, you have two choices:

create a regex for both with and without quotes, bus often is difficult;
create towo different extractions (e.g. operation1 and operation2) and then merge values using coalesce,

Something like this:

| index=my_index
| rex "operation\=\"(?<operation1>[^\"]*)"
| rex "operation\=(?<operation2>[^,]*)"
| eval operation=coalesce(operation1,operation2)
| ...

Bye.
Giuseppe

Re: Extract field that might be surrounded by quotes

aohls — Tue, 27 Aug 2019 14:39:06 GMT

I am hoping to accomplish this within the extraction and avoid any search time requirements.

Re: Extract field that might be surrounded by quotes

mayurr98 — Tue, 27 Aug 2019 14:43:43 GMT

Try this :

<your search> | rex "operation=(|\")(?<operation>[^(|\")]+)"

<your search> | rex "operation=(|\")(?<operation>\w+)"

let me know if this helps!

Re: Extract field that might be surrounded by quotes

justinatpnnl — Tue, 27 Aug 2019 14:47:49 GMT

Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:

operation="?(?<operation>[^\,"]+)"?,

See the working example here: https://rubular.com/r/KvJKsg4drQl51V

Re: Extract field that might be surrounded by quotes

aohls — Tue, 27 Aug 2019 14:51:26 GMT

This works perfect, I had attempted something similar but I had: operation="?(?<operation>[^\,]+)"?,. I was missing a quote in the expression so I was getting the closing quote in my result. Thanks.