https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549538#M155929 <P>Have you tried replacing \\ with nothing and \" with ", then use spath to extract the field you want?</P> Tue, 27 Apr 2021 22:47:42 GMT ITWhisperer 2021-04-27T22:47:42Z https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549537#M155928 <P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ \\\"person\\\":{\\\"name\\\":{\\\"firstName\\\":\\\"John\\\",\\\"lastName\\\":\\\"Doe\\\"},\\\"address\\\":{\\\"street\\\":\\\"100 Main Ave\\\",\\\"city\\\":\\\"Redwood City\\\",\\\"usState\\\":\\\"CA\\\",\\\"zipCode\\\":\\\"94061\\\",\\\"country\\\":\\\"United States\\\",\\\"phones\\\":[],\\\"emails\\\":[],\\\"addressLines\\\":[]},\\\"addresses\\\":[],\\\"phones\\\":[{\\\"phoneType\\\":\\\"Home\\\",\\\"phoneNumber\\\":\\\"6500000000\\\"}],\\\"email\\\":\\\"johndoe@gmail.com\\\",\\\"dateOfBirth\\\":\\\"1900/01/01\\\",\\\"nationalId\\\":\\\"100\\\",\\\"gender\\\":\\\"Male\\\"},\\\"credential\\\":{\\\"userName\\\":\\\"johndoe@gmail.com\\\",\\\"password\\\":\\\"Password\\\",\\\"securityQuestion\\\":\\\"Name of First Car?\\\",\\\"securityAnswer\\\":\\\"Volvo\\\"}\"" }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I need help in getting email in splunk search query for above json which has blackslash in logs.&nbsp; I have grabbed the nametag from very big log json using spath and i am calling that tag as "nametagforthisjson"&nbsp; to simplify.</P><P><BR />I tried this :&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">| rex field=nametagforthisjson max_match=0 "\"email:\\\\\\\":\\\\\\\"(?&lt;email&gt;.*)\"(?=,)" | table email</LI-CODE><P>&nbsp;</P><P><BR /><BR />I see email label printed but not value . So my regex is wrong. the email value&nbsp;<A href="mailto:johndoe@gmail.com" target="_blank" rel="noopener">johndoe@gmail.com</A>&nbsp;is for email name tag . So the value is until semicolon (,) . I am putting 7 blackslash.(2 backslash for 1 \&nbsp; and 1 for ")<BR />regex&nbsp; query version&nbsp;<A href="https://regex101.com/r/8BevNW/1" target="_blank">https://regex101.com/r/8BevNW/1</A></P><P>&nbsp;</P> Tue, 27 Apr 2021 22:50:08 GMT https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549537#M155928 curiousvivek 2021-04-27T22:50:08Z https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549538#M155929 <P>Have you tried replacing \\ with nothing and \" with ", then use spath to extract the field you want?</P> Tue, 27 Apr 2021 22:47:42 GMT https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549538#M155929 ITWhisperer 2021-04-27T22:47:42Z https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549548#M155938 <P>Thanks,I did this :</P><P>&nbsp;</P><LI-CODE lang="markup">| eval formattedjson = replace(nametagforthisjson,"\\\\", "")| table formattedjson</LI-CODE><P>&nbsp;</P><P><BR /><BR />that but now i have json enclosed in double quotes</P><P>[see below]</P><P>&nbsp;</P><LI-CODE lang="markup">"{ "person": { "name": { "firstName": "John", "lastName": "Doe" }, "address": { "street": "100 Main st", ... "phones": [ ], "emails": [ ], "addressLines": [ ] }, "addresses": [ ], "phones": [ { "phoneType": "Mobile", "phoneNumber": "65000000" } ], "email": "johdoe@gmail.com", .... } }"</LI-CODE><P>&nbsp;</P><P>What should I do to remove this enclosing double quotes?<BR />Once this is success, I want to do<BR />eval email = json_extract('formattedjson',"person.email")&nbsp;</P> Wed, 28 Apr 2021 00:49:00 GMT https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549548#M155938 curiousvivek 2021-04-28T00:49:00Z https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549574#M155948 <LI-CODE lang="markup">| eval formattedjson = trim(replace(nametagforthisjson,"\\\\", ""),"\"") | spath field=formattedjson path=person.email output=email | table formattedjson, email</LI-CODE> Wed, 28 Apr 2021 07:47:48 GMT https://community.splunk.com/t5/Splunk-Search/help-with-backslash/m-p/549574#M155948 ITWhisperer 2021-04-28T07:47:48Z