Solved: Re: Extract a field using rex

davidda · ‎07-25-2017

Hi,

I want to create a new field named "RequestId" from the data after "channelRequestId:" field using regex.
This is the related part of my log (I've bold the the associated values i would like to extract):

parameterValue={"executingDetails":{"executingxxxNumber":xx,"executingxxxxNumber":xxx},"requestorData":{"requestorIDs":{"serviceProductID":9,
"channelRequestId":"12345678-1234-xxxx-xxxx-abcdeffxxxx","variousChannelTypeCode":9},"requestData":{"referenceNumber":000000,"customerRequestTimestamp":"2017-07-24 14:37:39"}},"xxxxData":{"xxxxxxNumberxxxx":"xxx","xxxToken":"9dc2b23f-ea4a-4632-8b57-f37eaebab64c"},"debitTransactionData":{"requestAmount":1210.0,"currencyTypeCode":1}}

I've tried the following regex but it doesn't work properly,
| rex mode=sed field=parameterValue "s/^(.?(channelRequestId)[^$])$//g"

Thanks!

gcusello · ‎07-25-2017

Hi davidda,
try something like this

\"channelRequestId\":\"(?<channelRequestId>[^\"]*)

or

| rex field=parameterValue "\"channelRequestId\":\"(?<channelRequestId>[^\"]*)"

You can test it at https://regex101.com/r/BM6c6E/1
Bye.
Giuseppe

View solution in original post

gcusello · ‎07-25-2017

Hi davidda,
try something like this

\"channelRequestId\":\"(?<channelRequestId>[^\"]*)

or

| rex field=parameterValue "\"channelRequestId\":\"(?<channelRequestId>[^\"]*)"

You can test it at https://regex101.com/r/BM6c6E/1
Bye.
Giuseppe

davidda · ‎07-25-2017

Thank you, the second option works perfectly!

Extract a field using rex

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring