topic Re: Extract Field with Backslash and Quotes in Splunk Search

Extract Field with Backslash and Quotes

ank15july96 — Thu, 18 Feb 2021 21:58:55 GMT

I'm trying to extract this field that has colon, backslash and quotes around it and its not yielding any result.

Field looks like this: [{\"errorCode\":9810,

This is what I tried:

index=main errorCode | rex field=_raw "\"errorCode\\\":(?<code>....)" | table code

This is giving empty result.

Would appreciate any hints or suggestions.

Re: Extract Field with Backslash and Quotes

saravanan90 — Thu, 18 Feb 2021 22:35:29 GMT

This may help..

index=main errorCode | rex field=_raw "errorCode\\\\\":(?<code>\d+)" | table code

Re: Extract Field with Backslash and Quotes

ank15july96 — Mon, 22 Feb 2021 21:05:34 GMT

Hey Saravanan, do you know how to extract second occurrence of errorCode?
This query is extracting the first occurrence fine but I need to skip the first and retrieve the second occurrence.

Re: Extract Field with Backslash and Quotes

to4kawa — Tue, 23 Feb 2021 01:38:25 GMT

your log is JSON, try spath

Re: Extract Field with Backslash and Quotes

saravanan90 — Tue, 23 Feb 2021 05:49:46 GMT

Hi @ank15july96 ,

You can try spath as suggested by @to4kawa as it will extract all the fields json & xml.

Below may help to extract the second occurrence...

|rex field=_raw max_match=0 "errorCode\\\\\":(?<code>\d+)") | eval code=mvindex(code,1)

Re: Extract Field with Backslash and Quotes

to4kawa — Tue, 23 Feb 2021 07:28:20 GMT

Please give me the entire log.
There is also a way to do spath.