Splunk Enterprise

How to extract field between double quotes using rex?

sureshkumaar
Path Finder

We have multiple lines within double quotes and to be updated in the different field names according to the name we have.

All values has to be in different field names separately which is within double quotes

the below regex is working and but picking all the values and updating in one field, i am looking for

1. where the value within first double quotes getting picked in one common field name

2. where the value within second double quotes getting picked in second common field name

3. where the value within third double quotes getting picked in third common field name

| rex "\\\"(?<JobId>[^\\\"]+)"

"17449551"
"pmqcd1p3"
"SAP for Oracle"
"PMQ"
"N/A"
"default"
"(Logcommand line)"
Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your complete raw event in a code block </> so that formatting is not compromised.

0 Karma

sureshkumaar
Path Finder

Hi @ITWhisperer 

This is the raw event coming from a CSV file

The values which ever coming in double quotes has to be separated and get updated in unique field names
Even if there are empty within the double quotes it shouldn't skip
Some times characters are lengthy which shouldn't get updated in another field

 

"17449551","pmqcd1p3","SAP for Oracle","PMQ","N/A","default","(Logcommand line)","Backup 3RD","Full(Log)","Mar 20, 2023","Mar 20, 2023, 10:21:16 AM","20","","0","Failed","CVLT","Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd","","","Mar 20, 2023, 10:41:49 AM"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming all your field values are in double quotes, even the numerics, and that you have no embedded / escaped double quotes, you can do something like this

| rex max_match=0 "(?<field>\"[^\"]*\")"
| eval field1=mvindex(field,0)
| eval field2=mvindex(field,1)

Note, mvindex indexes start at zero - obviously you can name the fields how you like, not necessarily "field1", "field2", etc.

0 Karma

sureshkumaar
Path Finder

My issue here is actually,

the below line is actually has to be covered under a field called "Failure Reason" and when i am giving the below mvindex command it's working fine

but not all the failure reason occupy in 2 mvindex values, some are occupying in 1 and some are occupying more than 1 (2 OR 3 OR 4)

| eval "Failure Reason"=mvindex(_raw,19,20)

"Error occurred in Disk Media, For more help, please call your vendor's support hotline.<br>Source: CVLT-NGDC-E11-MA05, Process: cvd"

and another issue here is if we have 2 empty values, and when i am giving the below mvindex it's picking the value which is supposed to get update in the 23rd mvindex (i.e. data time stamp getting updated) instead of staying blank

| eval "Failure Reason"=mvindex(_raw,21)

""

""

"Mar 20, 2023, 10:41:49 AM"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please show your complete SPL and the raw event which is giving you problems

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...