Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: how to capture 2 slightly different pattern of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to capture 2 slightly different pattern of strings through regex and make it one field
Hello All ,
i wanted to capture the numeric values for below strings ctn.
CTN captured into 2 different formats.
First "ctn": "2148504794" - it has space between ":" and numeric values
Second ctn":"2148504794" - it doesn't have space between ":" and numeric values
like
"ctnId":279,"ctn":"2148504794",
processDMaaPMessage {"device": [{"ctn": "2148504794","status": "Restored"}]}}
i am using this rex
rex "ctn\"[:|: ] \"(?\d+)\","
but it seems it didn't work
please suggest a fix
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this run anywhere search
| makeresults
| eval data="\"ctn\": \"2148504794\""
| append
[| makeresults
| eval data="ctn\":\"2148504794\""]
| rex field=data "ctn\":(|\s+)\"(?<ctn>[^\"]+)"
In your environment you should try,
<your base search>| rex field=_raw "ctn\":(|\s+)\"(?<ctn>[^\"]+)"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, you might want to start using a service like regex101.com. It would've shown you that your regex has invalid syntax. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mayur, it works 🙂
i am trying to capture below reasonMessage also, but it capture
the colon with space only like "reasonMessage": "Uplift transaction failed due to SWC system error"}]}}*
i wanted to capture below strings as well.
"reasonMessage": "Uplift transaction failed due to SWC system error"}]}}
Thanks alot for your time and inputs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this regex \"reasonMessage\"\:\s\"(?<reasonMessage>[^\"]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You rocks Mayur. Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ms208a, if your issue is resolved, please accept the answer to mark this question as answered and help others facing similar issue in future.
Do up vote the comment/s that helped 🙂
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
