- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I extract this field using REGEX (rex)?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the below raw, I would like to extract MaximumBatchQuantity value, which is 20. Can someone help me with REGEX, please?
{"bdy":{"msg":"HttpRequest","addInfo":[{"key":"Url","value":"https://isp0064x.st.ad.XXXXX.com/XXXXXOmniFulfillmentServerApp/api/Assignment/Auto/"},{"key":"Content","value":"{\"Filters\":[],\"**MaximumBatchQuantity**\":**20**,\"AllowedSLAMilliSeconds\":4500,\"AssociateFirstName\":\"Aliona\",\"AssociateId\":\"2795969\",\"AssociateLastName\":\"Cieniawa\",\"Header\":{\"ApiVersion\":null,\"AppVersion\":\"18.3.0.15617\",\"JsonWebToken\":null,\"MessageId\":\"de959d4f-6a7d-4c0c-98d3-1143064b4300\"},\"IsOffline\":false,\"SLARequestKey\":\"AutoBatch\",\"StoreNumber\":\"0064\"}"},{"key":"CorrelationId","value":""},{"key":"MessageId","value":"3a04038d-64e2-493c-b489-90a922de1980"}]},"hdr":{"level":"Verbose","timestamp":"2018-06-04T21:03:19.6347626Z","fxsrc":"LogRequestInfo","lineNum":710,"userId":"2795969","loc":"Store","locId":"0064","ip":"10.224.255.15","hostName":"K-W10ME-7463352","macaddress":"00-16-XX-16-A6-FA","eventid":0,"appVersion":"18.3.0.15617","appName":"OmniFulfillment","deviceModel":"XX500","osVersion":"10.0.14393.2007","firmwareVersion":"1049.7.18039.0","networkSignalStrength":"4","isConnected":"True"},"ver":"0.1"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming those asterisk in the field name and value of MaximumBatchQuantity is added by you trying to highlight/bold it, give following regex a try
MaximumBatchQuantity[^:]+:(?<MaximumBatchQuantity>[^,]+)
See it working with your sample data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I heard you liked JSON, so I put some JSON in your JSON? Eww.
... | rex "\\\"MaximumBatchQuantity\\\"\s*:\s*\"?(?<MaximumBatchQuantity>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, this is giving me null value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming those asterisk in the field name and value of MaximumBatchQuantity is added by you trying to highlight/bold it, give following regex a try
MaximumBatchQuantity[^:]+:(?<MaximumBatchQuantity>[^,]+)
See it working with your sample data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used this way
| rex field=_raw MaximumBatchQuantity[^:]+:(?[^,]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
put quotes around the expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, I'm getting below error,
Error in 'SearchParser': Missing a search command before '^'. Error at position '522' of search query 'search index=kohls_prod_stores_servers sourcetype=...{snipped} {errorcontext = hQuantity[^:]+:(?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the search you're using? I just gave you the regex portion, you'd need to add other search parts.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
