Splunk Search

Extract a field using rex

davidda
Explorer

Hi,

I want to create a new field named "RequestId" from the data after "channelRequestId:" field using regex.
This is the related part of my log (I've bold the the associated values i would like to extract):

parameterValue={"executingDetails":{"executingxxxNumber":xx,"executingxxxxNumber":xxx},"requestorData":{"requestorIDs":{"serviceProductID":9,
"channelRequestId":"12345678-1234-xxxx-xxxx-abcdeffxxxx","variousChannelTypeCode":9},"requestData":{"referenceNumber":000000,"customerRequestTimestamp":"2017-07-24 14:37:39"}},"xxxxData":{"xxxxxxNumberxxxx":"xxx","xxxToken":"9dc2b23f-ea4a-4632-8b57-f37eaebab64c"},"debitTransactionData":{"requestAmount":1210.0,"currencyTypeCode":1}}

I've tried the following regex but it doesn't work properly,
| rex mode=sed field=parameterValue "s/^(.?(channelRequestId)[^$])$//g"

Thanks!

1 Solution

gcusello
Esteemed Legend

Hi davidda,
try something like this

\"channelRequestId\":\"(?<channelRequestId>[^\"]*)

or

| rex field=parameterValue "\"channelRequestId\":\"(?<channelRequestId>[^\"]*)"

You can test it at https://regex101.com/r/BM6c6E/1
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi davidda,
try something like this

\"channelRequestId\":\"(?<channelRequestId>[^\"]*)

or

| rex field=parameterValue "\"channelRequestId\":\"(?<channelRequestId>[^\"]*)"

You can test it at https://regex101.com/r/BM6c6E/1
Bye.
Giuseppe

0 Karma

davidda
Explorer

Thank you, the second option works perfectly!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...