Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a value of a key from multi-format data?

issbouzidi
New Member
‎10-10-2018 03:25 AM

Hi,

I'm new in Splunk. I need help with extraction data, and I have a multi-format file. Example:

08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ "OperationRequestId" : "5", "StockId" : "value pallet", "msgContent" : "Test content" }

As you can see, there is part of this line which is in JSON format.

My need is that I want to extract the value of key "msgContent"

Anyone have an idea about how to do it?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎10-10-2018 06:02 AM

try regex to extract msgContent-

|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

try this run anywhere search-

|makeresults|eval _raw="08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ \"OperationRequestId\" : \"5\", \"StockId\" : \"value pallet\", \"msgContent\" : \"Test content\" }"|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎10-10-2018 06:02 AM

try regex to extract msgContent-

|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"

try this run anywhere search-

|makeresults|eval _raw="08-Oct-2018 16:27:46.6300000|I|CompanyService|MsgReceivePooling OperationRequestMsg [Id(5976) .Net(14)]|App|Company|Algorithm|Treshold||{ \"OperationRequestId\" : \"5\", \"StockId\" : \"value pallet\", \"msgContent\" : \"Test content\" }"|rex "msgContent\"\s:\s\"(?<msgContent>[^\"]+)"
0 Karma
Reply
Solved! Jump to solution

issbouzidi
New Member
‎10-10-2018 07:02 AM

thank a lot @493669 , the regex works good 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...