Solved: Field Extraction

scout29

Need help to extract a field that comes after a certain word in a event.

I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp: i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event.

Below is an example data set i am using to write the regex to

\"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\

richgalloway

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

scout29

That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\"

richgalloway

Try my revised answer.

---
If this reply helps you, Karma would be appreciated.

Field Extraction

field extraction

regex

rex

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)