Need the correct regular expression for my rex command

moizmmz — Tue, 29 Sep 2020 23:00:28 GMT

Here is my raw data:

{"line":"level=debug t=\"2019-01-29T19:47:20.971Z\" rt=1 method=GET path=\"/service/health?apikey=DEFAULT\" sc=200 dma=999 apikey=DEFAULT amzn_trace_id=unknown enabledFeatures=recommendations,upcomingSearch,popularityQueriesPlatformSpecific,availabilityTimes,avoidDefaultQuery,useFavoritesExternalSchemaForD2C,useFavoritesV2ForFavoritesFilter,endCardRecommendations,cmsAuthFallback os=1 rid=\"dpp-proxy-draft-db0ae210-2baf-42e7-bd88-1379d3efb157\" mode=draft","source":"stderr","tag":"ecs-dev_dpp-proxy-draft_v1_blue-798-dev-service-dpp-proxy-draft-96eda4add3ca82ec5600/8c19f5d7ff4b","attrs":{"SERVICE_NAME":"dpp-proxy-draft","SERVICE_TAGS":"dpp-proxy","SERVICE_VERSION":"v1","com.amazonaws.ecs.task-arn":"arn:aws:ecs:us-west-2:776609208984:task/497f2b51-9bb7-4fb1-bce9-4058561bb2ad"}}

I hope to extract the highlighted portion seen above.

Pls help!!

Re: Need the correct regular expression for my rex command

renjith_nair — Wed, 30 Jan 2019 01:25:17 GMT

@moizmmz ,

Try

rex "tag\":\"ecs-(?<TAG>.+?)-\d+"

Re: Need the correct regular expression for my rex command

vinod94 — Wed, 30 Jan 2019 08:24:56 GMT

You can try this,

Your  index |  rex field=_raw "tag\"\:\"ecs-(?P<field_name>[^798]+)\-"

let me know if this works.

topic Re: Need the correct regular expression for my rex command in Splunk Search

Need the correct regular expression for my rex command

Re: Need the correct regular expression for my rex command

Re: Need the correct regular expression for my rex command