Solved: Field Extraction

scout29 · ‎11-22-2024

Need help to extract a field that comes after a certain word in a event.

I am looking to extract a field called "sn_grp" with the value of "M2 Infra Ops". So for every event that has sn_grp: i would like to extract the string that follows of "M2 Infra Ops". This string value will be the same name for every event.

Below is an example data set i am using to write the regex to

\"sn_grp:M2 Infra Ops\"},{\"context\":\"CONTEXTLESS\",\"key\":\"Correspondence Routing Engine\

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-22-2024

This should get you started.

| rex "sn_grp:(?<sn_grp>[^\\]+)"

---
If this reply helps you, Karma would be appreciated.

scout29 · ‎11-22-2024

That seems to work however it is capturing the "\" in the string at the end. I want the value to stop after Ops in the string and not include the "\"

richgalloway · ‎11-22-2024

Try my revised answer.

---
If this reply helps you, Karma would be appreciated.

Field Extraction

field extraction

regex

rex

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...