I have the following line. I would like to parse the githash from it.
[08/Oct/2019:05:08:31 +0000] 200 \"GET / HTTP/1.1\" 1203 \"-\" ,"source":"stdout", "tag": test/test-ui:b1cd4er8590rj39d39309e9e9/test-ui/03e020671f70
When I run my splunk query, I want to display "b1cd4er8590rj39d39309e9e9".
Hi
try this regex
\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/
you can use in a field extractor or in a rex command
| rex "\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/"
You can test it at https://regex101.com/r/tCmHBh/1
Bye.
Giuseppe
| rex field=_raw "\"tag\":\s+[^:]+:(?<githash>[^/]+)/"
Use rex
to extract a new field using a regular expression. This regex looks for "tag":
, followed by some whitespace, followed by anything except a :
, then :
, then capture everything into a new field called "githash", up to the /