topic Re: How do I extract a field from my raw data using rex command? in Splunk Search

How do I extract a field from my raw data using rex command?

tanvi1g — Thu, 24 Aug 2017 10:21:38 GMT

Hi,

Can someone able to help me please.

I'm very new to using Splunk and most certainly to the rex command and regular expressions, so please bear with.

I'm trying to extract an accountId field from my raw data which is in the following format { "accountId":"C12345678" }

Could someone possibly tell me please how I may strip the actual accountId number out of this line.

Many thanks and kind regards

Tanvi

richgalloway — Thu, 24 Aug 2017 13:36:19 GMT

Try this.

... | rex "accountId\":\"(?<accountId>[\w]+)" | ...

cpetterborg — Thu, 24 Aug 2017 15:10:50 GMT

I would have done it slightly differently (in case there were non-\w characters in the accountId):

... | rex "accountId\":\"(?<accountId>[^\"]+)" | ...

s2_splunk — Thu, 24 Aug 2017 17:14:02 GMT

Is your raw data in JSON format (hard to tell from the snippet). If it is, Splunk will do the field extraction for you.

tanvi1g — Mon, 28 Aug 2017 08:19:16 GMT

No, it's apache log

tanvi1g — Mon, 28 Aug 2017 08:20:03 GMT

Thanks. I will try this.