topic Re: Extracting field with quotes doesnt seem to work. in Splunk Search

Extracting field with quotes doesnt seem to work.

balash1979 — Fri, 03 Apr 2020 14:19:38 GMT

Here is the message in splunk and I am trying to extract customer and channel

{"line":"2020-04-03T12:24:54.589Z LCS {\"customer\":5,\"channel\":\"sqs\",\"notificationId\":213546}

When I run something like this

index=docker  "Exception" | rex "CustomerID: (?<customer>\S+)," |  rex "channelName\\\\\":\\\\\"(?<channel>\w+)"  | stats count(notificationId) by CustomerID

I am able to see the CustomerID extracted

but when I do

index=docker  "Exception" | rex "CustomerID: (?<customer>\S+)," |  rex "channelName\\\\\":\\\\\"(?<channel>\w+)"  | stats count(notificationId) by CustomerID, channelName

It is not displaying any results which tells me I am not extracting the channelName correctly. How can I fix this ?

Re: Extracting field with quotes doesnt seem to work.

richgalloway — Fri, 03 Apr 2020 14:51:38 GMT

Neither of your regular expressions match the example data. There is no "CustomerID:" string and no "channelName" string. Please verify the data so we can help you.

Escaping of '\' is unintuitive in rex. Experiment with the number of \\ used to get the desired results.

Re: Extracting field with quotes doesnt seem to work.

jpolvino — Fri, 03 Apr 2020 15:54:02 GMT

Nobody likes backslashes!

| makeresults
| eval _raw="{\"line\":\"2020-04-03T12:24:54.589Z LCS {\\\"customer\\\":5,\\\"channel\\\":\\\"sqs\\\",\\\"notificationId\\\":213546}"
| rex "customer\\\\\":(?<customer>[^,]+),\\\\\"channel\\\\\":\\\\\"(?<channel>[^\\\]+)\\\\\""

Re: Extracting field with quotes doesnt seem to work.

balash1979 — Fri, 03 Apr 2020 15:58:44 GMT

Never mind. I was looking at the wrong values. Thanks for pointing it out.

Re: Extracting field with quotes doesnt seem to work.

woodcock — Fri, 03 Apr 2020 17:30:27 GMT

Your data has channel but your RegEx has channelName so try this:

... | rex "channel\\\\\":\\\\\"(?<channel>\w+)"