Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract field that might be surrounded by quotes

aohls
Contributor
‎08-27-2019 07:09 AM

I am working to extract a field that at times is surrounded by quotes. This means I have either; operation or "operation". I have attempted the following:
Log Example:
operation="status"
operation=status

operation="?(?P<operation>"?[^\,]+),

Doing this does is close but on the fields with quotes, the closing quote is included which I did not want. My thought is to just do two extractions with the same name which is not ideal for me. I am extracting until a comma, which is either after the end of the string or after the closing quote.

Edit: I do not want to do anything at search time, I want the values to be correct for other users with limited knowledge.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-27-2019 07:47 AM

Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:

operation="?(?<operation>[^\,"]+)"?,

See the working example here: https://rubular.com/r/KvJKsg4drQl51V

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-27-2019 07:47 AM

Right now you have the optional closing quote inside of your capture parenthesis. Try moving it outside with something like this:

operation="?(?<operation>[^\,"]+)"?,

See the working example here: https://rubular.com/r/KvJKsg4drQl51V

Reply
Solved! Jump to solution

aohls
Contributor
‎08-27-2019 07:51 AM

This works perfect, I had attempted something similar but I had: operation="?(?<operation>[^\,]+)"?,. I was missing a quote in the expression so I was getting the closing quote in my result. Thanks.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎08-27-2019 07:43 AM

Try this :

<your search> | rex "operation=(|\")(?<operation>[^(|\")]+)"

OR 

<your search> | rex "operation=(|\")(?<operation>\w+)"

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2019 07:20 AM

Hi aohls,
could you share an example of your logs?
Anyway, you have two choices:

  • create a regex for both with and without quotes, bus often is difficult;
  • create towo different extractions (e.g. operation1 and operation2) and then merge values using coalesce,

Something like this:

| index=my_index
| rex "operation\=\"(?<operation1>[^\"]*)"
| rex "operation\=(?<operation2>[^,]*)"
| eval operation=coalesce(operation1,operation2)
| ...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-27-2019 07:18 AM

you can just try a replace after the operation is extracted
| eval operation=replace(operation,"\"","")

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎08-27-2019 07:39 AM

I am hoping to accomplish this within the extraction and avoid any search time requirements.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...