Solved: Field extraction using regex

dinesh001kumar · ‎08-31-2024

Hi All,

Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below.

Sample Log1:

\\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{},

Sample Log2:

4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

View solution in original post

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

PickleRick · ‎09-01-2024

Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\"

It might be smart to look into the ingestion process and try to optimize it.

ITWhisperer · ‎09-01-2024

I agree with @PickleRick but sometimes this can be gotten around by reparsing fields with spath, but we can't tell this without seeing the full event.

Thulasinathan_M · ‎08-31-2024

You can try something like below in rex command

channel[^A-Za-z]+(?<channel_type>[^\\]+)

Field extraction using regex

regex

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...