Re: How can i parse the value in this line

balash1979 · ‎10-07-2019

I have the following line. I would like to parse the githash from it.

[08/Oct/2019:05:08:31 +0000]  200 \"GET / HTTP/1.1\" 1203 \"-\" ,"source":"stdout", "tag": test/test-ui:b1cd4er8590rj39d39309e9e9/test-ui/03e020671f70

When I run my splunk query, I want to display "b1cd4er8590rj39d39309e9e9".

gcusello · ‎10-08-2019

Hi
try this regex

\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/

you can use in a field extractor or in a rex command

| rex "\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/"

You can test it at https://regex101.com/r/tCmHBh/1

Bye.
Giuseppe

sduff_splunk · ‎10-07-2019

| rex field=_raw "\"tag\":\s+[^:]+:(?<githash>[^/]+)/"

Use rex to extract a new field using a regular expression. This regex looks for "tag":, followed by some whitespace, followed by anything except a :, then :, then capture everything into a new field called "githash", up to the /

How can i parse the value in this line

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – June 2026

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Join the Conversation