Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help me with Rex in search query

sravankaripe
Communicator
‎02-22-2017 06:56 AM

"sessionID":"123456567"
"sessionID":"ABCnsh8ah"

Please help me with Rex to pick
123456567
ABCnsh8ah

from above _raw event

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎02-22-2017 07:01 AM

Please try

<raw_search> | rex  "sessionID\":\"(?<mysessionID>[\d\w]+)\""| table mysessionID

Full example with sample data

|makeresults | eval _raw="\"sessionID\":\"123456567\""|  rex  "sessionID\":\"(?<mysessionID>[\d\w]+)\""| table mysessionID

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hhGA
Communicator
‎02-22-2017 07:02 AM

Hi,

Give this a shot:

rex field=_raw> "\"sessionID\":\"(?<field>\S+)\""
0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎02-22-2017 07:02 AM

Try this:

| rex field=_raw "sessionID\"\:\"(<sessionID>.[^\"]*)"
0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎02-22-2017 07:01 AM

Please try

<raw_search> | rex  "sessionID\":\"(?<mysessionID>[\d\w]+)\""| table mysessionID

Full example with sample data

|makeresults | eval _raw="\"sessionID\":\"123456567\""|  rex  "sessionID\":\"(?<mysessionID>[\d\w]+)\""| table mysessionID
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...