Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with Rex field-extraction

d00680245
Explorer
‎05-28-2015 07:16 AM

I'm having a difficult time extracting the value for reportId. I'm not sure how to find the digits to the right of "reportId":
The reportId value has a range between 5 to 9 digits. I basically want to find anything between "reportId": AND ,
I've tried Splunk Field-Extractor and many similar examples on answers, but just cannot seem to get anything working.

raw sample data:

2015-05-28 08:27:19,378 INFO com.test.test.reports.Generation.ReportImageServiceListener - message received: {"location":"1","area":1,"Symbol":" LT","Number":"12345","Ids":[1.0,2.0,6.0],"Category":"ALL","reportLevel":"FIELD_GROUP","reportDelivery":"EMAIL_BUNDLE","reportType":"FORM","reportLayout":"LANDSCAPE","Year":2015,"userId":50000,"reportId":0000001,"layers":["CLU_BOUNDARIES","TEST_CLU_BOUNDARIES","ASSOCIATED_LABELS","CLU_LABELS","ASSOCIATED_CLUS","ANNUAL_CLUS","TEST_ACRES_CLUS","POLYGONS","AERIAL_IMAGERY","COUNTIES","PLSS","ROADS","TOWNS","WATERWAYS"],"plantedReport":false,"CluLabelOne":"FSN","FieldLabelFour":"NONE","FieldDisplayOption":"ALL","CluLabelThree":"FIELD","CluLabelTwo":"TRACT","FieldLabelOne":"LABEL","FieldLabelTwo":"ACRES","CluLabelFour":"FIELD_ACRES","FieldColorOption":"CROP","CluLabelFive":"PLANTED_ACRES","FieldLabelThree":"NONE","FieldYieldOption":"CURRENT_USE","FieldLabelFive":"NONE"}

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2015 07:23 AM

This regex string works well according to regex101.com. Depending on whether you're extracting at index time or search time, you'll want to put it into a REGEX statement or a rex command.

reportId\":(?P<reportID>\d+)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Michael_Wilde
Splunk Employee
Splunk Employee
‎05-28-2015 06:10 PM

You might consider making a bit more of a generic regex so you can use it with other fields. If you just tell splunk "after this stuff, grab anything thats inside the quotes.. or grab anything before this comma" you might use that regex on other fields too! Like this:

 | rex "reportId\"\:(?<reportId>[^,\"]+)"

Inside that regex, I'm looking for a single character list, but the ^ "caret" negates it, so it says "anything that is not a comma, or a quote".. and then we repeat that as many times as we can with the "+" plus sign. Make a slight change to the preceding characters and the field name and use the same internal regex, like this:

| rex "reportLayout\"\:\"(?<reportLayout>[^,\"]+)"
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2015 07:23 AM

This regex string works well according to regex101.com. Depending on whether you're extracting at index time or search time, you'll want to put it into a REGEX statement or a rex command.

reportId\":(?P<reportID>\d+)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

d00680245
Explorer
‎05-28-2015 08:07 AM

Thank you! This works for me! I was using www.regexr.com and plugged your solution in there and doesn't seem to work, but I'll definitely try out regex101.com.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-28-2015 08:10 AM

The biggest advantage (IMO) that regex101 has over regexr is support for the same regex syntax as Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-28-2015 09:11 AM

regexr.com was my first love... and then I discovered that regex101.com understands the named capturing groups where the former does not. it's also nice to be able to save and share your regex with a link.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...