Regex Help

SS1 · ‎09-23-2021

Hi,

I have the below log entry, can you help with the regex to extract the line in Red. The regex i have is not working properly in props.conf

2021-09-23 19:03:40.802 INFO 1 --- [sdgfsdgsdfgsdfg] asdfasdfasdfasfasfgfdhdfhdf : Response --> {
"claimId" : asfdasdfadf,
"claimFilerId" : "sadfasdf",
"vendorName" : "asfasfadfadf. ",
"vendorId" : "aefadf",
"vendorAddressId" : "asfafsd",
"vendorAddress" : "sdfgsdgsfg",
"preparedDate" : "09-22-2021",
"receivedDate" : "09-22-2021",
"enteredDate" : "09-22-2021",
"assignedTo" : {
"employeeId" : "sdfasdf ",
"firstName" : "asfasf",
"lastName" : "zsdfdf",
"adUserIdentifier" : "zsdfvzdv"
},
"correspondence" : {
"type" : {
"code" : 5947,
"shortName" : "EOB",
"longName" : "EOB"
},
"dispatchCode" : {
"code" : 5947,
"shortName" : "NtRqd",
"longName" : "Not Required"
},
"emailAddress" : "abcd@g.com, dgfh@a.in"
}

SS1 · ‎09-23-2021

you mean transforms.conf ?

Below are the two regex's i tried

[email-anonymizer]
REGEX = (^.*[^.]+)(^.*[^.]+)(?ms)(\"emailAddress\")(.*)
FORMAT = $1$2$3########
DEST_KEY = _raw

[ss-email-anonymizer]
REGEX = (^.*[^.]+)("[A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}),\s*([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}")(\s.*[^.]+)
FORMAT = $1###########$4
DEST_KEY = _raw

ITWhisperer · ‎09-23-2021

What regex do you have in props.conf?

Regex Help

field extraction

indexer

inputs.conf

props.conf

transforms.conf

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Regex Help