Solved: Field extraction using regex

dinesh001kumar · ‎08-31-2024

Hi All,

Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below.

Sample Log1:

\\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{},

Sample Log2:

4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

View solution in original post

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

PickleRick · ‎09-01-2024

Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\"

It might be smart to look into the ingestion process and try to optimize it.

ITWhisperer · ‎09-01-2024

I agree with @PickleRick but sometimes this can be gotten around by reparsing fields with spath, but we can't tell this without seeing the full event.

Thulasinathan_M · ‎08-31-2024

You can try something like below in rex command

channel[^A-Za-z]+(?<channel_type>[^\\]+)

Field extraction using regex

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Join the Conversation