topic Re: How to escape special character through regex in Splunk Search

How to escape special character through regex

mrmanishsharma — Tue, 03 Dec 2019 20:29:32 GMT

Hi experts, I wanted to escape the backslash "\" from the below logs, and capture the status code.
The output should be like this statusCode=200

Please help me on this.

"log":"{\"logType\":\"RESPONSE\",\"logLevel\":\"DEBUG\",\"logTimestamp\":\"2019-12-03T20:08:58.691Z\",\"logger\":\"Response\",\"label\":\"Response\",\"transaction\":{\"transactionId\":\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\",\"conversationId\":\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\",\"consumer\":\"m10582@sapmp.att.com\",\"protocol\":\"HTTP\",\"callingEntityIP\":\"10.233.64.0\",\"receivedTimestamp\":\"2019-12-03T20:08:58.675Z\",\"timeToLive\":0,\"timeout\":\"2019-12-03T20:08:58.675Z\"},\"runtime\":{\"hostName\":\"zlp25883\",\"ip\":\"10.233.77.162\",\"instance\":\"subscribernotificationprocess-3-0-2-default-6dcdffcc5f-vccqx\",\"clusterName\":\"PROD-ALPSGACT-SAPMP-0001\",\"namespace\":\"com-att-sapmp-prod\",\"image\":\"dockercentral.it.att.com:5100/com.att.sapmp/subscribernotificationprocess:3.0.2\",\"platformIdentifier\":\"AJSC7_RESTLET\",\"environment\":\"PROD\"},\"application\":{\"deploymentUnitName\":\"com.att.sapmp.SubscriberNotificationProcess\",\"motsApplicationAcronym\":\"26018\"},\"response\":{\"processedEndTimestamp\":\"2019-12-03T20:08:58.689Z\",\"responseSize\":0,\"responseMessage\":\"\",\"status\":\"COMPLETE\",\"statusCode\":\"200\",\"headers\":{\"X-ATT-UniqueTransactionId\":\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\",\"X-ATT-ConversationId\":\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\",\"X-Application-Context\":\"application:subscriber:8080\",\"Date\":\"Tue, 03 Dec 2019 20:08:58 GMT\",\"Server\":\"Restlet-Framework/2.3.12\"}}}\n","stream":"stdout","time":"2019-12-03T20:08:58.691596727Z"}

Re: How to escape special character through regex

richgalloway — Tue, 03 Dec 2019 21:57:53 GMT

How about something like this? The "extra" backslashes are there because of additional escaping needed in SPL.

... | rex "statusCode\\\\\":\\\\\"(?<statusCode>\d+)"

Re: How to escape special character through regex

vnravikumar — Wed, 04 Dec 2019 02:39:17 GMT

Try this, temp is the field that contains entire log

| makeresults 
| eval temp="statusCode\":\"200\"," 
| rex field=temp "statusCode\":\"(?P<statusCode>[^\",]+)"

Re: How to escape special character through regex

woodcock — Wed, 04 Dec 2019 06:01:20 GMT

Like this:

|makeresults
| eval _raw="\"log\":\"{\\\"logType\\\":\\\"RESPONSE\\\",\\\"logLevel\\\":\\\"DEBUG\\\",\\\"logTimestamp\\\":\\\"2019-12-03T20:08:58.691Z\\\",\\\"logger\\\":\\\"Response\\\",\\\"label\\\":\\\"Response\\\",\\\"transaction\\\":{\\\"transactionId\\\":\\\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\\\",\\\"conversationId\\\":\\\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\\\",\\\"consumer\\\":\\\"m10582@sapmp.att.com\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"callingEntityIP\\\":\\\"10.233.64.0\\\",\\\"receivedTimestamp\\\":\\\"2019-12-03T20:08:58.675Z\\\",\\\"timeToLive\\\":0,\\\"timeout\\\":\\\"2019-12-03T20:08:58.675Z\\\"},\\\"runtime\\\":{\\\"hostName\\\":\\\"zlp25883\\\",\\\"ip\\\":\\\"10.233.77.162\\\",\\\"instance\\\":\\\"subscribernotificationprocess-3-0-2-default-6dcdffcc5f-vccqx\\\",\\\"clusterName\\\":\\\"PROD-ALPSGACT-SAPMP-0001\\\",\\\"namespace\\\":\\\"com-att-sapmp-prod\\\",\\\"image\\\":\\\"dockercentral.it.att.com:5100/com.att.sapmp/subscribernotificationprocess:3.0.2\\\",\\\"platformIdentifier\\\":\\\"AJSC7_RESTLET\\\",\\\"environment\\\":\\\"PROD\\\"},\\\"application\\\":{\\\"deploymentUnitName\\\":\\\"com.att.sapmp.SubscriberNotificationProcess\\\",\\\"motsApplicationAcronym\\\":\\\"26018\\\"},\\\"response\\\":{\\\"processedEndTimestamp\\\":\\\"2019-12-03T20:08:58.689Z\\\",\\\"responseSize\\\":0,\\\"responseMessage\\\":\\\"\\\",\\\"status\\\":\\\"COMPLETE\\\",\\\"statusCode\\\":\\\"200\\\",\\\"headers\\\":{\\\"X-ATT-UniqueTransactionId\\\":\\\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\\\",\\\"X-ATT-ConversationId\\\":\\\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\\\",\\\"X-Application-Context\\\":\\\"application:subscriber:8080\\\",\\\"Date\\\":\\\"Tue, 03 Dec 2019 20:08:58 GMT\\\",\\\"Server\\\":\\\"Restlet-Framework/2.3.12\\\"}}}\n\",\"stream\":\"stdout\",\"time\":\"2019-12-03T20:08:58.691596727Z\"}"
| rex "statusCode\\\\\":\\\\\"(?<statusCode>\d+)"

Re: How to escape special character through regex

mrmanishsharma — Wed, 04 Dec 2019 19:00:44 GMT

Thanks all for your efforts.
but what is the wired thing happening, when i used the code from answers so far and execute with my search string. it works.
issue comes, when i creates the field and it shows successfully saved. but created field do not populated and missing in the left created field list. 😞

Re: How to escape special character through regex

woodcock — Thu, 02 Jan 2020 02:33:25 GMT

Please note that if you are saving field extractions to happen automatically and NOT using them with rex inside of search SPL, you will have to reduce the number of \ characters by half(ish). Are you saving this as automatic field extractions?

Re: How to escape special character through regex

computermathguy — Fri, 01 Apr 2022 19:24:38 GMT

I had to use 4 backslashes to escape the URL's single backslash.