Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

field extraction

sahana
Engager
‎11-01-2021 03:00 AM

Hi,

I need to extract a value  from a message field, which has multiple data values. as like below,

message:{user: xxxx,age:yy,gender:xxxx, position:"nnnn", place:yyy}

In the above i need to extract the position value, which may have n number datas present after this. So, I need to extract the position value by its name alone. 

And also this position value can be there with a name as designation also

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2021 03:41 AM

From your example, the following rex should work

| rex "position:\"(?<position>[^\"]*)\""

Similarly for designation

Having said that, your example looks like it might be JSON but it not correctly formatted as JSON, so depending on what your actual data looks like, you may need to adjust the rex string

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...