topic Re: How to extract data using rex? in Splunk Search

How to extract data using rex?

Learner — Wed, 02 Dec 2020 03:57:28 GMT

Hi all,

I am having data as follows:

REPORT RequestId: xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1

i want a field as CorrelationId3 which is having xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 value

Re: How to extract data using rex?

renjith_nair — Wed, 02 Dec 2020 05:46:36 GMT

Do you have any characters/strings after the value ?

your search |rex "RequestId:\s+(?<CorrelationId3>.*)"

If you have any chars after the value , add them after the last parenthesis (")")

Re: How to extract data using rex?

Learner — Wed, 02 Dec 2020 07:24:28 GMT

there is more raw data after xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'.

after using using your query, i'm getting data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'

but i want data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1'

Re: How to extract data using rex?

renjith_nair — Wed, 02 Dec 2020 10:52:39 GMT

As mentioned, have you tried adding that string after the parenthesis?

|rex RequestId:\s+(?<CorrelationId3>[^\s]+)

Re: How to extract data using rex?

Learner — Wed, 02 Dec 2020 07:58:35 GMT

yes, but still not getting right answer. i guess there is tab space rather than blank space before Duration. if tab, then how to write that?

Re: How to extract data using rex?

renjith_nair — Wed, 02 Dec 2020 10:53:34 GMT

Edited the first answer and should work for space and tabs

|rex "RequestId:\s+(?<CorrelationId3>[^\s]+)"

If the format of the string is only letters,numbers and - then ,you may use

|rex "RequestId:\s+(?<CorrelationId3>[a-z0-9A-Z-]+)"

Re: How to extract data using rex?

Learner — Thu, 10 Dec 2020 08:09:39 GMT

thank you @renjith_nair for help. now im again trying to extract correlation_id as CorrelationId4.

{"data":{"correlation_id":"51g0d88f-3ab8-4mom-betb-b31ed6e1662z","u_originator_uri"

i used following query to extract value:

| rex "\{\"correlation\_id\"\:\"(?<CorrelationId4>[^\<]*)\s*\""

but now, i am not getting field as CorrelationId4. request you to guide further on this

Re: How to extract data using rex?

renjith_nair — Thu, 10 Dec 2020 09:42:51 GMT

try

correlation_id\":\"(?<CorrelationId4>[^\"]+)

Re: How to extract data using rex?

Learner — Thu, 10 Dec 2020 15:50:26 GMT

not getting the data.

what if data is like:

"{\"data\":{\"correlation_id:\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri

Re: How to extract data using rex?

Learner — Sun, 20 Dec 2020 15:21:29 GMT

not getting the data

Re: How to extract data using rex?

Learner — Mon, 21 Dec 2020 04:46:54 GMT

i have tried

| rex "correlation_id\\":\\"(?<CorrelationId4>[^\"]+)\\"

but it gives me error as

Error in 'rex' command: Encountered the following error while compiling the regex 'correlation_id\:\(?<CorrelationId4>[^"]+)\': Regex: unmatched closing parenthesis.

Re: How to extract data using rex?

renjith_nair — Mon, 21 Dec 2020 06:48:51 GMT

1. You dont need to use \\ but only single \

2. The last quote (") should not be escaped with \\

Please see below sample

|makeresults|eval _raw="{\"data\":{\"correlation_id\":\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri\"" |rex "correlation_id\":\"(?<CorrelationId4>[^\"]+)"