In my logs I have something that looks like the following "string1":"string2" I would like to extract string2 as a field using string1 as a reference point for my regex.
Try this:
... your root search ...
| rex ‘string1”:”(?<fieldName>\w+)”’
Note there’s a double quote followed by single quote at the end
Try this:
... your root search ...
| rex ‘string1”:”(?<fieldName>\w+)”’
Note there’s a double quote followed by single quote at the end
To make sure you get any string (except one with an embedded double quote) you should use @jkat54 's answer with a small modification:
... your root search ...
| rex ‘string1”:”(?<fieldName>[^\"]+)”’
That will allow for spaces, punctuation, etc.
This does not work splunk is throwing an error. However when I use jkats it doesn't work either but there is no error.
The query I'm using is the following
| rex ‘catalog_name”:”(?\w+)” | top fieldname
where the exact example is: "catalog_name":"firmwide"
i want to save firmwide into the fieldname field.
Looks like you missed the single quote on the end of the regex.
I also don’t see the <fieldName>
after the ? But I think the forum stripped that because you didn’t use the 101010 button to post code.
I see no reason why this wouldn’t work.
What doesn’t work?
Does it work on 20% of your events but not 100% so you’re saying “it don’t work” or what?
You could change the
\w+ to \S+ or .+ to expand the regex so it matches more scenarios.
I'm just not seeing the new field get created.
I search for
.....
| rex ‘catalog_name”:”(?<temp>\w+)”’
| top temp
and it returns no results found
Unless you used fieldName in the regex and then top fieldname (all lowercase).
Field names are case sensitive
Sorry. Here is an example "run-anywhere" search that I checked on my system:
| makeresults
| eval data="\"catalog_name\":\"firmwide\""
| rex field=data "\"catalog_name\":\"(?<catalog_name>[^\"]+)"
See if this one works for you.
Yes this works... is there a reason why when I run it on my own data it doesn't create a field?
Nevermind this works, I was accidently still referencing the field=data field. removing this made it functional. Thank you!
Glad you figured it out! We were scratching our heads!
Sorry about that, I'm very new to using regex in splunk.
For some reason the full regex expression isnt showing up in the comment but Im using what you wrote.