Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

Deepz2612
Explorer
‎12-16-2017 08:10 AM

Hi ,

For logs such as below please help me in extracting the data enclosed within double quotes.

Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"

I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :

Dealership_Name 
Amery
US

but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎12-16-2017 10:09 AM

Hey @Deepz2612

Try this, you will be able to extract dealership name and role in one regex

| rex field=_raw “Contact\sDealership\sName=(\"|\s)(?P<ContactDealershipName>[^\"]+)\",Role=(\s|)\"(?P<Role>[^\"]+)”

Let me know if this works!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎12-16-2017 10:09 AM

Hey @Deepz2612

Try this, you will be able to extract dealership name and role in one regex

| rex field=_raw “Contact\sDealership\sName=(\"|\s)(?P<ContactDealershipName>[^\"]+)\",Role=(\s|)\"(?P<Role>[^\"]+)”

Let me know if this works!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-16-2017 10:38 AM

@mayurr98, max_match=0 needs to be added in case this is a single event. Contact Dealership Name does not have space after equal to sign and before double quotes. However Role has a space before double quotes. So, the following regex should also work.

You have special character double quotes in the code above for regular expression convert to simple double quotes "

@Deepz2612, following is the run anywhere search based on your sample data:

| makeresults
| eval _raw="Contact Dealership Name=\"Amery\",Role= \"IT_Deal\"
 Contact Dealership Name=\"US\",Role= \"IT_Deal\"
 Contact Dealership Name=\"J. Nuckolls, Inc. dba Fenton Auto Sales\",Role= \"IT_DEAN\"
"
| rex "Contact\sDealership\sName=\"(?<contact_dealership_name>[^\"]+)\",Role=\s\"(?<role>[^\"]+)\"" max_match=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Deepz2612
Explorer
‎12-17-2017 05:48 AM

Great!
Thanks @niketnilay. this worked and thank you so much for helping me out.

0 Karma
Reply
Solved! Jump to solution

ifotopoulos
Explorer
‎12-16-2017 08:29 AM

Try the following regex:

Contact Dealership Name=\"(.+?)\"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...