Re: How can i parse the value in this line

balash1979 · ‎10-07-2019

I have the following line. I would like to parse the githash from it.

[08/Oct/2019:05:08:31 +0000]  200 \"GET / HTTP/1.1\" 1203 \"-\" ,"source":"stdout", "tag": test/test-ui:b1cd4er8590rj39d39309e9e9/test-ui/03e020671f70

When I run my splunk query, I want to display "b1cd4er8590rj39d39309e9e9".

gcusello · ‎10-08-2019

Hi
try this regex

\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/

you can use in a field extractor or in a rex command

| rex "\"tag\":\s+[^:]*:(?<githash>[^\/]*)\/"

You can test it at https://regex101.com/r/tCmHBh/1

Bye.
Giuseppe

sduff_splunk · ‎10-07-2019

| rex field=_raw "\"tag\":\s+[^:]+:(?<githash>[^/]+)/"

Use rex to extract a new field using a regular expression. This regex looks for "tag":, followed by some whitespace, followed by anything except a :, then :, then capture everything into a new field called "githash", up to the /

How can i parse the value in this line

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation