Solved: Field extraction using regex

dinesh001kumar · ‎08-31-2024

Hi All,

Can anbody help us with the Regex expression to extract the feild of Channel: values will be either APP or Web which was highlighted in Sample logs below.

Sample Log1:

\\\":\\\"8E4B3815425627\\\",\\\"channel\\\":\\\"APP\\\"}\"","call_res_body":{},

Sample Log2:

4GksYUB7HGIfhfvs_iLtSc8EFCzOzbAJBze8wjXSDnwmgdhwjjxjsghqsxvhv\\\",\\\"channel\\\":\\\"web\\\"}\"","call_res_body":{},"additional_fields":{}}

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

View solution in original post

ITWhisperer · ‎09-01-2024

Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such.

However, if you wish to proceed with regex, then you could try something like this

| rex "channel[^\w]+(?<channel>APP|web)"

PickleRick · ‎09-01-2024

Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\"

It might be smart to look into the ingestion process and try to optimize it.

ITWhisperer · ‎09-01-2024

I agree with @PickleRick but sometimes this can be gotten around by reparsing fields with spath, but we can't tell this without seeing the full event.

Thulasinathan_M · ‎08-31-2024

You can try something like below in rex command

channel[^A-Za-z]+(?<channel_type>[^\\]+)

Field extraction using regex

regex

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Field extraction using regex

regex

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?