Splunk Enterprise

How to extract field between double quotes using rex?

sureshkumaar
Path Finder

We have multiple lines within double quotes and to be updated in the different field names according to the name we have.

All values has to be in different field names separately which is within double quotes

the below regex is working and but picking all the values and updating in one field, i am looking for

1. where the value within first double quotes getting picked in one common field name

2. where the value within second double quotes getting picked in second common field name

3. where the value within third double quotes getting picked in third common field name

| rex "\\\"(?<JobId>[^\\\"]+)"

"17449551"
"pmqcd1p3"
"SAP for Oracle"
"PMQ"
"N/A"
"default"
"(Logcommand line)"
Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your complete raw event in a code block </> so that formatting is not compromised.

0 Karma

sureshkumaar
Path Finder

Hi @ITWhisperer 

This is the raw event coming from a CSV file

The values which ever coming in double quotes has to be separated and get updated in unique field names
Even if there are empty within the double quotes it shouldn't skip
Some times characters are lengthy which shouldn't get updated in another field

 

"17449551","pmqcd1p3","SAP for Oracle","PMQ","N/A","default","(Logcommand line)","Backup 3RD","Full(Log)","Mar 20, 2023","Mar 20, 2023, 10:21:16 AM","20","","0","Failed","CVLT","Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd","","","Mar 20, 2023, 10:41:49 AM"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming all your field values are in double quotes, even the numerics, and that you have no embedded / escaped double quotes, you can do something like this

| rex max_match=0 "(?<field>\"[^\"]*\")"
| eval field1=mvindex(field,0)
| eval field2=mvindex(field,1)

Note, mvindex indexes start at zero - obviously you can name the fields how you like, not necessarily "field1", "field2", etc.

0 Karma

sureshkumaar
Path Finder

My issue here is actually,

the below line is actually has to be covered under a field called "Failure Reason" and when i am giving the below mvindex command it's working fine

but not all the failure reason occupy in 2 mvindex values, some are occupying in 1 and some are occupying more than 1 (2 OR 3 OR 4)

| eval "Failure Reason"=mvindex(_raw,19,20)

"Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd"

and another issue here is if we have 2 empty values, and when i am giving the below mvindex it's picking the value which is supposed to get update in the 23rd mvindex (i.e. data time stamp getting updated) instead of staying blank

| eval "Failure Reason"=mvindex(_raw,21)

""

""

"Mar 20, 2023, 10:41:49 AM"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please show your complete SPL and the raw event which is giving you problems

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...