Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract data between double quotes?

Deepz2612
Explorer
‎12-31-2018 02:19 AM

I have logs as below.I would want to extract the data within the quotes

 **message**: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"

Where message is a field.

I want the value as:

VIN

ABCDEFTGH

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-31-2018 03:09 AM

@Deepz2612 ,

Try

"Your current search"  |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column

This will result in 

vin         Type        color
ABCDEFTGH   Obs-AVE     ABSOLUTE BLACK
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

vnravikumar
Champion
‎01-08-2019 12:22 AM

Try this

| makeresults 
 | eval test ="**message**: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\"" 
 | rex field=test "\"vin\":\"(?<vin>.*)\",\"Type\":\"(?<Type>.*)\",\"color\":\"(?<color>.*)\"" 
 | table vin, Type, color
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-31-2018 03:09 AM

@Deepz2612 ,

Try

"Your current search"  |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column

This will result in 

vin         Type        color
ABCDEFTGH   Obs-AVE     ABSOLUTE BLACK
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Deepz2612
Explorer
‎01-04-2019 12:53 AM

Hi,

The question here is how do i extract the data within the quotes.
message: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
message: "vin":"EFGHTYB","Type":"Obs-ABE","color":"BLACK"

Like in the logs above ,I would want to extract the values as between the quotes as a field value.
eg: whatever data follows after the word "vin":" and ended with ", should be extracted as one field.
ABCDEFTGH

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎01-04-2019 12:58 AM

Have you tried the query provided by me and @renjith.nair ? It is extracting ABCDEFTGH in field vin, Obs-AVE in field Type and ABSOLUTE BLACK in field color

0 Karma
Reply
Solved! Jump to solution

Deepz2612
Explorer
‎01-04-2019 01:14 AM

It did work but not in the way i expected.
I just wanted to have a reqular expression to extract the data that is present within the quotes and a colon.

rex field = message *********************

message: "vin":"EFGHTYB"

Here the data EFGHTYB is between :" and "

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-04-2019 05:12 AM

@Deepz2612 ,

If you just want VIN, try this 

rex field=your_message_field "vin":\"(?<VIN>\w+)\""
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Deepz2612
Explorer
‎01-04-2019 05:32 AM

Cool!! Thanks for your help

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-31-2018 03:05 AM

Hi @Deepz2612,

I am not able to find an easy way to do this but you can try below query.

<yourBaseSearch>
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time

Here is run anywhere search based on sample data

| makeresults | eval _raw="message: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time

EDIT : REGEX Updated.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...