Solved: Re: How do you extract data between double quotes?

Deepz2612 · ‎12-31-2018

I have logs as below.I would want to extract the data within the quotes

 **message**: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"

Where message is a field.

I want the value as:

VIN

ABCDEFTGH

renjith_nair · ‎12-31-2018

@Deepz2612 ,

Try

"Your current search"  |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column

This will result in

vin         Type        color
ABCDEFTGH   Obs-AVE     ABSOLUTE BLACK

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

vnravikumar · ‎01-08-2019

Try this

| makeresults 
 | eval test ="**message**: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\"" 
 | rex field=test "\"vin\":\"(?<vin>.*)\",\"Type\":\"(?<Type>.*)\",\"color\":\"(?<color>.*)\"" 
 | table vin, Type, color

renjith_nair · ‎12-31-2018

@Deepz2612 ,

Try

"Your current search"  |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column

This will result in

vin         Type        color
ABCDEFTGH   Obs-AVE     ABSOLUTE BLACK

---
What goes around comes around. If it helps, hit it with Karma 🙂

Deepz2612 · ‎01-04-2019

Hi,

The question here is how do i extract the data within the quotes.
message: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
message: "vin":"EFGHTYB","Type":"Obs-ABE","color":"BLACK"

Like in the logs above ,I would want to extract the values as between the quotes as a field value.
eg: whatever data follows after the word "vin":" and ended with ", should be extracted as one field.
ABCDEFTGH

harsmarvania57 · ‎01-04-2019

Have you tried the query provided by me and @renjith.nair ? It is extracting ABCDEFTGH in field vin, Obs-AVE in field Type and ABSOLUTE BLACK in field color

Deepz2612 · ‎01-04-2019

It did work but not in the way i expected.
I just wanted to have a reqular expression to extract the data that is present within the quotes and a colon.

rex field = message *********************

message: "vin":"EFGHTYB"

Here the data EFGHTYB is between :" and "

renjith_nair · ‎01-04-2019

@Deepz2612 ,

If you just want VIN, try this

rex field=your_message_field "vin":\"(?<VIN>\w+)\""

---
What goes around comes around. If it helps, hit it with Karma 🙂

Deepz2612 · ‎01-04-2019

Cool!! Thanks for your help

harsmarvania57 · ‎12-31-2018

Hi @Deepz2612,

I am not able to find an easy way to do this but you can try below query.

<yourBaseSearch>
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time

Here is run anywhere search based on sample data

| makeresults | eval _raw="message: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time

EDIT : REGEX Updated.

How do you extract data between double quotes?

VIN

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?

Are you a member of the Splunk Community?

How do you extract data between double quotes?

VIN

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?