topic Why am I unable to extract a field from my logs with rex using my current regular expression? in Splunk Search

Why am I unable to extract a field from my logs with rex using my current regular expression?

mitcanmit — Mon, 16 Mar 2015 18:16:12 GMT

In my logs, I have the below part and I want to extract success

{\"state\":\"success\",

How do I formulate it with rex? I know that I should escape the backslashes and quotes but adding a \ does not do the trick. This is what I have tried:

| rex "\\\"state\\\":\\\"(?<state>\w*)\\\""

Re: Why am I unable to extract a field from my logs with rex using my current regular expression?

richgalloway — Mon, 16 Mar 2015 18:26:07 GMT

Your regex string worked perfectly on regex101.com, but sometimes Splunk gets confused by quotation marks within strings. Try this alternative:

"\\\x22state\\\x22:\\\x22(?<state>\w*)\\\x22"

Re: Why am I unable to extract a field from my logs with rex using my current regular expression?

somesoni2 — Mon, 16 Mar 2015 21:00:47 GMT

Give this a try as well

your base search | rex   "(\\\)*\"state(\\\)*\":(\\\)*\"(?<state>\w*)(\\\)*\""