Solved: How do I extract a value of a key from multi-forma...

issbouzidi · ‎10-10-2018

Hi,

I'm new in Splunk. I need help with extraction data, and I have a multi-format file. Example:

08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ "OperationRequestId" : "5", "StockId" : "value pallet", "msgContent" : "Test content" }

As you can see, there is part of this line which is in JSON format.

My need is that I want to extract the value of key "msgContent"

Anyone have an idea about how to do it?

Thank you

493669 · ‎10-10-2018

try regex to extract msgContent-

|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

try this run anywhere search-

|makeresults|eval _raw="08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ \"OperationRequestId\" : \"5\", \"StockId\" : \"value pallet\", \"msgContent\" : \"Test content\" }"|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

View solution in original post

493669 · ‎10-10-2018

try regex to extract msgContent-

|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

try this run anywhere search-

|makeresults|eval _raw="08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ \"OperationRequestId\" : \"5\", \"StockId\" : \"value pallet\", \"msgContent\" : \"Test content\" }"|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

issbouzidi · ‎10-10-2018

thank a lot @493669 , the regex works good 🙂

How do I extract a value of a key from multi-format data?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!