Archive
Highlighted

rex command help

Path Finder

Help me with Rex

"keys":"values"

"SSOUSERDATA":"INDV=12345678|ONE|testd44|ABCD,ABCD_ABCDABCD"
"X-comGlobalSessionID":"Abcdef2OtOEWYEX0TA6B1KQ"
"X-comPrimaryIdentity":"12345678"
"X-comImpersonatedIdentity":"12345678"
"msgContentType":"Exception due to so and so"

Tags (1)
0 Karma
Highlighted

Re: rex command help

SplunkTrust
SplunkTrust

How about this?

... | rex \":\"(?<skoelpin>.+)(?=\")

Your fieldname will be skoelpin 🙂

0 Karma
Highlighted

Re: rex command help

Path Finder

i want to retrive "INDV=12345678|ONE|testd44|ABCD,ABCD_ABCDABCD"
from the event. can you help me with rex.

"SSOUSERDATA":"INDV=12345678|ONE|testd44|ABCD,ABCD_ABCDABCD"

0 Karma
Highlighted

Re: rex command help

SplunkTrust
SplunkTrust

This will capture the value "INDV=12345678|ONE|testd44|ABCD,ABCD_ABCDABCD"

... | rex \":\"(?<skoelpin>.+)(?=\")

0 Karma
Highlighted

Re: rex command help

SplunkTrust
SplunkTrust

...|extract kvdelim=":" pairdelim=" "

If that works in search, it can be done automatically in props.conf too

Highlighted

Re: rex command help

SplunkTrust
SplunkTrust

This would be the obvious choice, but OP said he wanted rex