Re: Extract Field with Backslash and Quotes

ank15july96 · ‎02-18-2021

I'm trying to extract this field that has colon, backslash and quotes around it and its not yielding any result.

Field looks like this: [{\"errorCode\":9810,

This is what I tried:

index=main errorCode | rex field=_raw "\"errorCode\\\":(?<code>....)" | table code

This is giving empty result.

Would appreciate any hints or suggestions.

to4kawa · ‎02-22-2021

your log is JSON, try spath

saravanan90 · ‎02-18-2021

This may help..

index=main errorCode | rex field=_raw "errorCode\\\\\":(?<code>\d+)" | table code

ank15july96 · ‎02-22-2021

Hey Saravanan, do you know how to extract second occurrence of errorCode?
This query is extracting the first occurrence fine but I need to skip the first and retrieve the second occurrence.

saravanan90 · ‎02-22-2021

Hi @ank15july96 ,

You can try spath as suggested by @to4kawa as it will extract all the fields json & xml.

Below may help to extract the second occurrence...

|rex field=_raw max_match=0 "errorCode\\\\\":(?<code>\d+)") | eval code=mvindex(code,1)

to4kawa · ‎02-22-2021

Please give me the entire log.
There is also a way to do spath.

Extract Field with Backslash and Quotes

field extraction

regex

rex

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!