Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a long string with double quotes and back slashes?

szheng6699
Engager
‎03-01-2021 04:50 PM

Example 1: 
time="2021-02-26T04:20:27Z" level=error msg="[xx] failed processing case" caseNumber=1234 error="Received bad status code for case processing. StatusCode: [500]. Error: [{\"response\": \"strconv.ParseInt: parsing \"\": invalid syntax\", \"status\": false}]." role=x spEnv=x spZone=x userID=x

I want to extract string "Received bad status code for case processing. StatusCode: [500]. Error: [{\"response\": \"strconv.ParseInt: parsing \"\": invalid syntax\", \"status\": false}]."

Example 2: 

time="2021-03-01T23:50:02Z" level=error msg="[xx] failed processing case" caseNumber=13423 error="Received unexpected status code 400 for POST request. Path/v1/user Request: {\"cloudZone\":[{\"cloud\":\"x\",\"zone\":\"x\"}],\"userDetails\":{\"userName\":\"x\",\"fullName\":\"x\",\"employee\":{\"employeeId\":\"x\",\"emailId\":\"x\",\"lockout\":false,\"enabled\":true,\"kkk\":false},\"description\":\"24784\",\"idNumber\":123,\"groupId\":123}} Response: {\"code\":\"\",\"reason\":\"[DSNumber 123 is already used\",\"request-id\":\"884F74A7-E249-1649-57B7-2C12E807DEDA\"}\n" role=x spEnv=x spZone=x userID=x

I want to extract string "Received unexpected status code 400 for POST request. Path: /v1/user Request: {\"cz\":[{\"c\":\"x\",\"z\":\"x\"}],\"userDetails\":{\"userName\":\"x\",\"fullName\":\"x\",\"employee\":{\"employeeId\":\"x\",\"emailId\":\"x\",\"lockout\":false,\"enabled\":true,\"kkk\":false},\"description\":\"24784\",\"idNumber\":123,\"groupId\":123}} Response: {\"code\":\"\",\"reason\":\"[DS] Number 123 is already used\",\"request-id\":\"884F74A7-E249-1649-57B7-2C12E807DEDA\"}\n"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-01-2021 05:10 PM

@szheng6699 

Try this in a search:

| rex "error=\"(?<error>(?:\\\\\"|[^\"])+)"

Or in an inline transform:

error="(?<error>(?:\\"|[^"])+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-01-2021 05:10 PM

@szheng6699 

Try this in a search:

| rex "error=\"(?<error>(?:\\\\\"|[^\"])+)"

Or in an inline transform:

error="(?<error>(?:\\"|[^"])+)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...