- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract field that might be surrounded by quotes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working to extract a field that at times is surrounded by quotes. This means I have either; operation or "operation". I have attempted the following:
Log Example:
operation="status"
operation=status
operation="?(?P<operation>"?[^\,]+),
Doing this does is close but on the fields with quotes, the closing quote is included which I did not want. My thought is to just do two extractions with the same name which is not ideal for me. I am extracting until a comma, which is either after the end of the string or after the closing quote.
Edit: I do not want to do anything at search time, I want the values to be correct for other users with limited knowledge.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:
operation="?(?<operation>[^\,"]+)"?,
See the working example here: https://rubular.com/r/KvJKsg4drQl51V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:
operation="?(?<operation>[^\,"]+)"?,
See the working example here: https://rubular.com/r/KvJKsg4drQl51V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfect, I had attempted something similar but I had: operation="?(?<operation>[^\,]+)"?,. I was missing a quote in the expression so I was getting the closing quote in my result. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
<your search> | rex "operation=(|\")(?<operation>[^(|\")]+)"
OR
<your search> | rex "operation=(|\")(?<operation>\w+)"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi aohls,
could you share an example of your logs?
Anyway, you have two choices:
- create a regex for both with and without quotes, bus often is difficult;
- create towo different extractions (e.g. operation1 and operation2) and then merge values using coalesce,
Something like this:
| index=my_index
| rex "operation\=\"(?<operation1>[^\"]*)"
| rex "operation\=(?<operation2>[^,]*)"
| eval operation=coalesce(operation1,operation2)
| ...
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can just try a replace after the operation is extracted
| eval operation=replace(operation,"\"","")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am hoping to accomplish this within the extraction and avoid any search time requirements.
There's No Place Like Chrome and the Splunk Platform
The Great Resilience Quest: 5th Leaderboard Update
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
