Re: Extract Field with Backslash and Quotes

ank15july96 · ‎02-18-2021

I'm trying to extract this field that has colon, backslash and quotes around it and its not yielding any result.

Field looks like this: [{\"errorCode\":9810,

This is what I tried:

index=main errorCode | rex field=_raw "\"errorCode\\\":(?<code>....)" | table code

This is giving empty result.

Would appreciate any hints or suggestions.

to4kawa · ‎02-22-2021

your log is JSON, try spath

saravanan90 · ‎02-18-2021

This may help..

index=main errorCode | rex field=_raw "errorCode\\\\\":(?<code>\d+)" | table code

ank15july96 · ‎02-22-2021

Hey Saravanan, do you know how to extract second occurrence of errorCode?
This query is extracting the first occurrence fine but I need to skip the first and retrieve the second occurrence.

saravanan90 · ‎02-22-2021

Hi @ank15july96 ,

You can try spath as suggested by @to4kawa as it will extract all the fields json & xml.

Below may help to extract the second occurrence...

|rex field=_raw max_match=0 "errorCode\\\\\":(?<code>\d+)") | eval code=mvindex(code,1)

to4kawa · ‎02-22-2021

Please give me the entire log.
There is also a way to do spath.

Extract Field with Backslash and Quotes

field extraction

regex

rex

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation