topic Regex not working event after validating in regex101.com in Splunk Search

Regex not working event after validating in regex101.com

macadminrohit — Thu, 10 May 2018 18:44:15 GMT

This is my regex :

Test Name\","value":"(?.*)},{"key"

and my test string is :

{"key":"Test Name","value":"GET:Corp Ping Test"},{"key":"URL","value"

Basically i want to extract this set "GET:Corp Ping Test" , splunk doesnt extract anything in

Re: Regex not working event after validating in regex101.com

niketn — Thu, 10 May 2018 18:56:34 GMT

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

Re: Regex not working event after validating in regex101.com

kmorris_splunk — Thu, 10 May 2018 19:04:31 GMT

I think you are missing a name for your capture group. Try this:

Test Name\","value":"(?<myfield>.*)"},{"key"

I wasn't sure if you wanted the quote at the end so I removed it as well.

Re: Regex not working event after validating in regex101.com

macadminrohit — Thu, 10 May 2018 19:06:37 GMT

Thanks Niket. It works like a charm 🙂

Re: Regex not working event after validating in regex101.com

macadminrohit — Thu, 10 May 2018 21:14:30 GMT

i missed that in my question, but actually was there in regex. I missed to add \ to mask the double quotes.