https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617243#M214503 <P>I have a log which looks like follow:</P><P>&nbsp;</P><LI-CODE lang="markup">Request received :: Id assigned. --- Id=1, BODY={"userIds":["11"],"email":"test@test.com,"Client":"Test"} </LI-CODE><P>&nbsp;</P><P>The userids will always contains one element in the list surrounded by square brackets. So from above request I want to get 11. I am using rex to extract userID but seems that its not working.</P><P>&nbsp;</P><LI-CODE lang="markup">index=prod-* sourcetype="kube:service" "Request received " | rex field=_raw "userIds\":\[\"(?&lt;user_id&gt;\d+)\"" |table user_id</LI-CODE><P>&nbsp;</P><P>But table is getting printed empty</P> Mon, 17 Oct 2022 14:33:54 GMT user9025 2022-10-17T14:33:54Z https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617243#M214503 <P>I have a log which looks like follow:</P><P>&nbsp;</P><LI-CODE lang="markup">Request received :: Id assigned. --- Id=1, BODY={"userIds":["11"],"email":"test@test.com,"Client":"Test"} </LI-CODE><P>&nbsp;</P><P>The userids will always contains one element in the list surrounded by square brackets. So from above request I want to get 11. I am using rex to extract userID but seems that its not working.</P><P>&nbsp;</P><LI-CODE lang="markup">index=prod-* sourcetype="kube:service" "Request received " | rex field=_raw "userIds\":\[\"(?&lt;user_id&gt;\d+)\"" |table user_id</LI-CODE><P>&nbsp;</P><P>But table is getting printed empty</P> Mon, 17 Oct 2022 14:33:54 GMT https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617243#M214503 user9025 2022-10-17T14:33:54Z https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617247#M214505 <P>There doesn't appear to be anything wrong with what you are doing given the example you have shared. Perhaps the example doesn't accurately represent your actual data? Can you share some obfuscated real events?</P> Sat, 15 Oct 2022 08:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617247#M214505 ITWhisperer 2022-10-15T08:14:11Z https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617258#M214511 <P>the events shared are reals, with some fields&nbsp;<SPAN>obfuscated, I am able to extract events, but putting them in table is coming up empty</SPAN></P> Sat, 15 Oct 2022 15:44:40 GMT https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617258#M214511 user9025 2022-10-15T15:44:40Z https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617259#M214512 <P>do we need to extract json variable BODY first from logs and then do it?</P> Sat, 15 Oct 2022 15:51:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617259#M214512 user9025 2022-10-15T15:51:34Z https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617270#M214516 <P>In a way yes, because you should not try to manage structured data like JSON using pure text manipulation like rex. &nbsp;On the other hand, if your data source is configured normally, you should already have a field named BODY. If not, you can use kv aka <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Extract" target="_blank" rel="noopener">extract</A>.</P><P>Once you verify that BODY is extracted, use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath" target="_blank" rel="noopener">spath</A> to extract structured fields.</P><P>&nbsp;</P><LI-CODE lang="markup">| spath input=BODY</LI-CODE><P>&nbsp;</P> Sun, 16 Oct 2022 04:26:29 GMT https://community.splunk.com/t5/Splunk-Search/Extract-user-field-from-log/m-p/617270#M214516 yuanliu 2022-10-16T04:26:29Z