To make sure you get any string (except one with an embedded double quote) you should use @jkat54 's answer with a small modification:
... your root search ... | rex ‘string1”:”(?<fieldName>[^\"]+)”’
That will allow for spaces, punctuation, etc.
This does not work splunk is throwing an error. However when I use jkats it doesn't work either but there is no error.
The query I'm using is the following
| rex ‘catalog_name”:”(?\w+)” | top fieldname
where the exact example is: "catalog_name":"firmwide"
i want to save firmwide into the fieldname field.
Looks like you missed the single quote on the end of the regex.
I also don’t see the
<fieldName> after the ? But I think the forum stripped that because you didn’t use the 101010 button to post code.
I see no reason why this wouldn’t work.
What doesn’t work?
Does it work on 20% of your events but not 100% so you’re saying “it don’t work” or what?
You could change the
\w+ to \S+ or .+ to expand the regex so it matches more scenarios.
Sorry. Here is an example "run-anywhere" search that I checked on my system:
| makeresults | eval data="\"catalog_name\":\"firmwide\"" | rex field=data "\"catalog_name\":\"(?<catalog_name>[^\"]+)"
See if this one works for you.