Hi Guys,
Hope you can help me out.
Consider the following data in Splunk:
{ 
   attrs: { 
     account: 85859303
     version: 1.3848
   }
   line: { 
     application_version: 1.94949303
     message: Event with key 84js9393: {"entity": {"customer_id": "K123456", "order_id": "Sjd49493-93nd-9494-jdjd-mskaldjfhfhh", "collection_id": "djdis939-9398-9488-j939-md839md93000", "issuer_id": null}}
     thread: springfield
     timestamp: 2021-12-21 19:30:52,123
   }
}
I would like to extract the order_id and use it in my search:
order_id=Sjd49493-93nd-9494-jdjd-mskaldjfhfhh
Hope someone can help or point me in the right direction.
Cheers!
Matthew
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		It's easy with rex
... | rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
... 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		It's easy with rex
... | rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
...Hi richgalloway, Thanks for you reply.
Unfortunately when I for example try to table the results I do not receive any results.
For example
Base search ....
| rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
| table order_idfixed it:
| rex field=line.message "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
| table order_id