Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting field with quotes doesnt seem to work.

balash1979
Path Finder
‎04-03-2020 07:19 AM

Here is the message in splunk and I am trying to extract customer and channel 

{"line":"2020-04-03T12:24:54.589Z LCS {\"customer\":5,\"channel\":\"sqs\",\"notificationId\":213546}

When I run something like this 

index=docker  "Exception" | rex "CustomerID: (?<customer>\S+)," |  rex "channelName\\\\\":\\\\\"(?<channel>\w+)"  | stats count(notificationId) by CustomerID

I am able to see the CustomerID extracted

but when I do 

index=docker  "Exception" | rex "CustomerID: (?<customer>\S+)," |  rex "channelName\\\\\":\\\\\"(?<channel>\w+)"  | stats count(notificationId) by CustomerID, channelName

It is not displaying any results which tells me I am not extracting the channelName correctly. How can I fix this ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-03-2020 10:30 AM

Your data has channel but your RegEx has channelName so try this:

... | rex "channel\\\\\":\\\\\"(?<channel>\w+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-03-2020 10:30 AM

Your data has channel but your RegEx has channelName so try this:

... | rex "channel\\\\\":\\\\\"(?<channel>\w+)"
Reply
Solved! Jump to solution

jpolvino
Builder
‎04-03-2020 08:54 AM

Nobody likes backslashes!

| makeresults
| eval _raw="{\"line\":\"2020-04-03T12:24:54.589Z LCS {\\\"customer\\\":5,\\\"channel\\\":\\\"sqs\\\",\\\"notificationId\\\":213546}"
| rex "customer\\\\\":(?<customer>[^,]+),\\\\\"channel\\\\\":\\\\\"(?<channel>[^\\\]+)\\\\\""
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2020 07:51 AM

Neither of your regular expressions match the example data. There is no "CustomerID:" string and no "channelName" string. Please verify the data so we can help you.

Escaping of '\' is unintuitive in rex. Experiment with the number of \\ used to get the desired results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

balash1979
Path Finder
‎04-03-2020 08:58 AM

Never mind. I was looking at the wrong values. Thanks for pointing it out.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...