topic Re: regex field extraction on field changing data value properties in Splunk Search

regex field extraction on field changing data value properties

VI371887 — Mon, 26 Mar 2018 07:00:04 GMT

hi i am having issue extracting fields from splunk field extraction and rex command

with msg field

it's has different values can be numbers, strings, path, punctuations, blank space like shown below.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :" "

now problem is, i have written rex as
\msg\":(? \". *\") \,

but it returns value which following msg field.

"msg" :"vjvuv igivc uvviv", "origin" :"abcgc", "time" :23.45677",

493669 — Mon, 26 Mar 2018 07:06:04 GMT

Hi @VI371887,
Try this regex:

...|rex "msg\"\s:\"(?<msg>[^\"]+)"

VI371887 — Mon, 26 Mar 2018 08:03:42 GMT

this selects msg filed, i want the value of the field to be selected, like in above example

the msg values that is.. highlighted in bold.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :"** **"

493669 — Mon, 26 Mar 2018 10:50:52 GMT

the above regex selects value for msg field as highlighted.
try this run anywhere search:

|makeresults|eval _raw="\"msg\" :\"35556\""|rex "msg\"\s:\"(?<message>[^\"]+)"