Solved: Extracting fields

MicMoo · ‎08-02-2021

I have the following log

2021-08-03T14:12:40,872 th=foo cl=bla p=INFO {"tag":"bla","goo":"SPA","msg":{"dir":"in","correlation":"2035456876870723587526","pack":"ebcdic","0":"1234","3":"001234","4":"000000001234","6":"000000001234","7":"0803141240","11":"521464","41":"51400055","47":"ERT0001234000\\ARDABABDGDG\\GRE1234\\VTE01123400824\\GDE00\\SSER\\Ort612348\\Ort072\\rtI0\\","49":"124","61":"12340000004"}}

I would like to extract the two fields in RED and Pink and rename field to Co

The fields in BOLD GREEN will be key and must be present, rest might or might not.

This is what I got so far

index=bla | rex \"47\":\"*ARD(?<CODA>.{4})

however this is not working and filed is not getting populated.

Thank you

MicMoo · ‎08-02-2021

Solved, should have simplified my search

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

View solution in original post

MicMoo · ‎08-02-2021

Thank you @venkatasri , nearly there , when I use what you suggested nothing is extracted , however if I remove the "ARD" string , red and pink where populated but not all cases with the correct info

venkatasri · ‎08-02-2021

Can you share the samples that's not working.

MicMoo · ‎08-02-2021

Solved, should have simplified my search

\\\\ARD(?<RED>\w{4})(?<PINK>\w{4})

venkatasri · ‎08-02-2021

@MicMoo Can you try this?

<your_search> 
| rex "47\".+?\\\\ARD(?<red>\w{4})(?<pink>\w{4})"

Extracting fields

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform