https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594473#M206906 <P>Below is my raw logs.</P> <P>I want to extract "analystVerdict" &amp; its corresponding result from raw logs. can someone please help</P> <P>&nbsp;</P> <P>\"mitigationStartedAt\": \"2022-04-13T03:57:58.393000Z\", \"status\": \"success\"}], \"threatInfo\": {\"<STRONG>analystVerdict</STRONG>\": \"<STRONG>false_positive</STRONG>\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"\", \"classification\": \"Malware\",</P> <P>&nbsp;</P> <P>I tried below. But i am failing to get the result</P> <P>index=test_summary&nbsp; | rex field=_raw ":\\\"(?&lt;analystVerdict&gt;\w+)\\\"" |table search_name analystVerdict</P> Wed, 20 Apr 2022 15:27:33 GMT alexspunkshell 2022-04-20T15:27:33Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594473#M206906 <P>Below is my raw logs.</P> <P>I want to extract "analystVerdict" &amp; its corresponding result from raw logs. can someone please help</P> <P>&nbsp;</P> <P>\"mitigationStartedAt\": \"2022-04-13T03:57:58.393000Z\", \"status\": \"success\"}], \"threatInfo\": {\"<STRONG>analystVerdict</STRONG>\": \"<STRONG>false_positive</STRONG>\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"\", \"classification\": \"Malware\",</P> <P>&nbsp;</P> <P>I tried below. But i am failing to get the result</P> <P>index=test_summary&nbsp; | rex field=_raw ":\\\"(?&lt;analystVerdict&gt;\w+)\\\"" |table search_name analystVerdict</P> Wed, 20 Apr 2022 15:27:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594473#M206906 alexspunkshell 2022-04-20T15:27:33Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594476#M206907 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>please try this regex:</P><LI-CODE lang="markup">| rex "analystVerdictDescription\\\":\s+\\\"(?&lt;analystVerdictDescription&gt;[^\"]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/IjwJYM/1" target="_blank">https://regex101.com/r/IjwJYM/1</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 20 Apr 2022 15:16:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594476#M206907 gcusello 2022-04-20T15:16:22Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594482#M206908 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp; Thanks for your help</P><P>I tried but the field is empty in my results. But the raw logs is having the values.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_0-1650469176646.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19154i0B865486AA3E02A4/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_0-1650469176646.png" alt="alexspunkshell_0-1650469176646.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 Apr 2022 15:39:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594482#M206908 alexspunkshell 2022-04-20T15:39:52Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594483#M206909 If you really have that \ as an escape character on your data, you should add could of more \ character on your rex. There reason is that internally there are couple of places where splunk do that de-escaping and for that reason sometimes you need to do it double or triple times. Wed, 20 Apr 2022 15:38:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594483#M206909 isoutamo 2022-04-20T15:38:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594489#M206912 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>sometimes I found a behaviour in Splunk different than regex101, so please try this:</P><LI-CODE lang="markup">| rex "analystVerdictDescription\\\\":\s+\\\\"(?&lt;analystVerdictDescription&gt;[^\"]+)"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 20 Apr 2022 15:45:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594489#M206912 gcusello 2022-04-20T15:45:15Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594491#M206913 <P>Still the same</P> Wed, 20 Apr 2022 15:48:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594491#M206913 alexspunkshell 2022-04-20T15:48:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594494#M206915 <LI-CODE lang="markup">| rex "analystVerdict\\\\\":\s+\\\\\"(?&lt;analystVerdictDescription&gt;[^\\\\\"]+)"</LI-CODE> Wed, 20 Apr 2022 15:54:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/594494#M206915 ITWhisperer 2022-04-20T15:54:03Z