Splunk Search

Extract field between double quotes using rex

MaratD
Explorer

Hi all,

I have the following events

source_host=lioness1 source_host_description="This is the main server"

source_host=lion source_host_description="This is SQL server"

 

I need to extract the description, which is all the text between double quotes and assign it to the field description. Would you please help?

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

At search time, use this rex command:

| rex "\\\"(?<description>[^\\\"]+)"

The same regex should work at index time, just without the escape characters.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

At search time, use this rex command:

| rex "\\\"(?<description>[^\\\"]+)"

The same regex should work at index time, just without the escape characters.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

realsplunk
Motivator

Hi,

looks like we need to espace double quotes, do you advice this log format:

key=value instead of key="value" ? Thanks.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This question has an accepted answer so it's unlikely to draw more viewers.  Please post a new question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

MaratD
Explorer

thanks, but this could match any string between "". My bad I didn't make it clear enough. I can have other values between double quotes and I want to make sure that this regex only matches the description. so I did something like this 

rex "description=\\\"(?<description>[^\\\"]+)"

But it didn't work

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regex should work, assuming there is no hidden white space in the data.  Is source_host_description an extracted field?  If so, you can use the original regex against that one field.

| rex field=source_host_description "\\\"(?<description>[^\\\"]+)"

 If that doesn't work then it might help if you shared a full (sanitized) raw event.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.