https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278725#M84193 <P>Hi Guys, </P> <P>I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?</P> <PRE><CODE>"user" : "11111111" </CODE></PRE> Wed, 10 Feb 2016 23:49:19 GMT dernst 2016-02-10T23:49:19Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278725#M84193 <P>Hi Guys, </P> <P>I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?</P> <PRE><CODE>"user" : "11111111" </CODE></PRE> Wed, 10 Feb 2016 23:49:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278725#M84193 dernst 2016-02-10T23:49:19Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278726#M84194 <P>Hi dernst,</P> <P>take a look at this answer <A href="https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html">https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html</A> which provides an example to the same question. You simply have to use this <CODE>"([^"]+)"\s:\s"([^"]+)"</CODE> as your regex in <CODE>transforms.conf</CODE>.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Thu, 11 Feb 2016 00:44:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278726#M84194 MuS 2016-02-11T00:44:29Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278727#M84195 <P>Hi ,</P> <P>For logs such as below please help me in extracting the data enclosed within double quotes.</P> <P>Contact Dealership Name="Amery",Role= "IT_Deal"<BR /> Contact Dealership Name="US",Role= "IT_Deal"<BR /> Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"</P> <P>I tried using <STRONG>rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""</STRONG><BR /> But the results are as below :<BR /> Dealership_Name <BR /> Amery<BR /> US<BR /> but <STRONG>J. Nuckolls, Inc. dba Fenton Auto Sales</STRONG> is not included in the result.<BR /> how the rex_field has to be modified to capture that also.</P> Tue, 29 Sep 2020 17:16:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278727#M84195 Deepz2612 2020-09-29T17:16:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278728#M84196 <P>@Deepz2612, please post a new question. Also for Sample Data and SPL please use <CODE>code button (101010)</CODE> on Splunk Answers so that special character does not escape.</P> Sat, 16 Dec 2017 13:55:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-within-quotes-and-extract-its-value-based/m-p/278728#M84196 niketn 2017-12-16T13:55:18Z