Solved: Using rex to split raw field

Janani_Krish · ‎09-16-2020

I have raw field in the below format.

{"device":"device1","date":"2020-09-16T05:17:04.197Z","file_path":"CSIDL_PROFILE\\appdata","file_hash":"1bcdefgh12469"}

I wanted the content of file_path like "CSIDL_PROFILE\\appdata"[inclusing quotes]. I tried something like below,

sourcetype="file"|rex "{"device":"*","date":"*","file_path":(?<file>.*)"|table _raw,file

I am not good at rex queries. Please suggest me some ideas to take the values of file_path including quotes.

ITWhisperer · ‎09-16-2020

This looks like json so spath may be an easier option

| spath file_path
| eval file_path="\""+file_path+"\""

Second line adds the quotes back in

If you still want to use rex, try:

| rex "file_path\"\:(?<file_path>\"[^\"]+\")"

thambisetty · ‎09-16-2020

simple, value will be extracted to new field called "file_path"

| rex "file_path\":(?<file_path>[^\,]+)"

————————————
If this helps, give a like below.

gcusello · ‎09-16-2020

if you want to include also quotas, please, try this regex:

| rex "\"file_path\":(?<file_path>[^,]*),"

Ciao.

Giuseppe

ITWhisperer · ‎09-16-2020

This looks like json so spath may be an easier option

| spath file_path
| eval file_path="\""+file_path+"\""

Second line adds the quotes back in

If you still want to use rex, try:

| rex "file_path\"\:(?<file_path>\"[^\"]+\")"

Using rex to split raw field