Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you extract data between double quotes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have logs as below.I would want to extract the data within the quotes
**message**: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
Where message is a field.
I want the value as:
VIN
ABCDEFTGH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
Try
"Your current search" |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column
This will result in
vin Type color
ABCDEFTGH Obs-AVE ABSOLUTE BLACK
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| makeresults
| eval test ="**message**: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex field=test "\"vin\":\"(?<vin>.*)\",\"Type\":\"(?<Type>.*)\",\"color\":\"(?<color>.*)\""
| table vin, Type, color
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
Try
"Your current search" |rex field=_raw max_match=0 "\"(?<KEY>.+?)\":\"(?<VALUE>.+?)\""
|eval x=mvzip(KEY,VALUE)|table x|mvexpand x
|rex field=x "(?<KEY>.+),(?<VALUE>.+)"|fields - x|transpose 0 header_field=KEY|fields - column
This will result in
vin Type color
ABCDEFTGH Obs-AVE ABSOLUTE BLACK
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The question here is how do i extract the data within the quotes.
message: "vin":"ABCDEFTGH","Type":"Obs-AVE","color":"ABSOLUTE BLACK"
message: "vin":"EFGHTYB","Type":"Obs-ABE","color":"BLACK"
Like in the logs above ,I would want to extract the values as between the quotes as a field value.
eg: whatever data follows after the word "vin":" and ended with ", should be extracted as one field.
ABCDEFTGH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried the query provided by me and @renjith.nair ? It is extracting ABCDEFTGH in field vin, Obs-AVE in field Type and ABSOLUTE BLACK in field color
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It did work but not in the way i expected.
I just wanted to have a reqular expression to extract the data that is present within the quotes and a colon.
rex field = message *********************
message: "vin":"EFGHTYB"
Here the data EFGHTYB is between :" and "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Deepz2612 ,
If you just want VIN, try this
rex field=your_message_field "vin":\"(?<VIN>\w+)\""
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool!! Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Deepz2612,
I am not able to find an easy way to do this but you can try below query.
<yourBaseSearch>
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time
Here is run anywhere search based on sample data
| makeresults | eval _raw="message: \"vin\":\"ABCDEFTGH\",\"Type\":\"Obs-AVE\",\"color\":\"ABSOLUTE BLACK\""
| rex "\"(?:(?<a>\w+))\"\:\"(?<b>(?:.)*?)\"" max_match=0
| eval c = mvzip(a,b)
| mvexpand c
| eval d=mvindex(split(c,","),0), e=mvindex(split(c,","),1)
| eval {d}=e
| stats values(color) AS color, values(vin) AS vin, values(Type) AS Type by _time
EDIT : REGEX Updated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Telemetry Pipeline Management
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
