hello everyone,
my event data looks like this
{\"status\":1,\"httpStatus\":200,\"event\":\"getBooks\"}
My goal is to extract httpStatus as a field so I can filter events by their codes(e.g 200, 400 ..)
I learned that we need to escape backslashes and double quotes but the command below didn't work
| rex "httpStatus\\\":(?<http_status>\d+)"
What did i do incorrectly here?
hi @adhwihhiahwd,
I suppose that yu tested yur regex in regex101.com and it runs but it doesn't run in Splunk,
so, try using four back slashes
| rex "httpStatus\\\\":(?<http_status>\d+)"
Ciao.
Giuseppe
wow thanks!
4 back slashes worked...
| rex "httpStatus\\\\\":(?<http_status>\d+)"
Hi @adhwihhiahwd,
Splunk mysteries!!!
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
hi @adhwihhiahwd,
I suppose that yu tested yur regex in regex101.com and it runs but it doesn't run in Splunk,
so, try using four back slashes
| rex "httpStatus\\\\":(?<http_status>\d+)"
Ciao.
Giuseppe