Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to escape special character through regex

mrmanishsharma
New Member
‎12-03-2019 12:29 PM

Hi experts, I wanted to escape the backslash "\" from the below logs, and capture the status code.
The output should be like this statusCode=200

Please help me on this.

"log":"{\"logType\":\"RESPONSE\",\"logLevel\":\"DEBUG\",\"logTimestamp\":\"2019-12-03T20:08:58.691Z\",\"logger\":\"Response\",\"label\":\"Response\",\"transaction\":{\"transactionId\":\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\",\"conversationId\":\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\",\"consumer\":\"m10582@sapmp.att.com\",\"protocol\":\"HTTP\",\"callingEntityIP\":\"10.233.64.0\",\"receivedTimestamp\":\"2019-12-03T20:08:58.675Z\",\"timeToLive\":0,\"timeout\":\"2019-12-03T20:08:58.675Z\"},\"runtime\":{\"hostName\":\"zlp25883\",\"ip\":\"10.233.77.162\",\"instance\":\"subscribernotificationprocess-3-0-2-default-6dcdffcc5f-vccqx\",\"clusterName\":\"PROD-ALPSGACT-SAPMP-0001\",\"namespace\":\"com-att-sapmp-prod\",\"image\":\"dockercentral.it.att.com:5100/com.att.sapmp/subscribernotificationprocess:3.0.2\",\"platformIdentifier\":\"AJSC7_RESTLET\",\"environment\":\"PROD\"},\"application\":{\"deploymentUnitName\":\"com.att.sapmp.SubscriberNotificationProcess\",\"motsApplicationAcronym\":\"26018\"},\"response\":{\"processedEndTimestamp\":\"2019-12-03T20:08:58.689Z\",\"responseSize\":0,\"responseMessage\":\"\",\"status\":\"COMPLETE\",\"statusCode\":\"200\",\"headers\":{\"X-ATT-UniqueTransactionId\":\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\",\"X-ATT-ConversationId\":\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\",\"X-Application-Context\":\"application:subscriber:8080\",\"Date\":\"Tue, 03 Dec 2019 20:08:58 GMT\",\"Server\":\"Restlet-Framework/2.3.12\"}}}\n","stream":"stdout","time":"2019-12-03T20:08:58.691596727Z"}
0 Karma
Reply

woodcock
Esteemed Legend
‎01-01-2020 06:33 PM

Please note that if you are saving field extractions to happen automatically and NOT using them with rex inside of search SPL, you will have to reduce the number of \ characters by half(ish). Are you saving this as automatic field extractions?

0 Karma
Reply

mrmanishsharma
New Member
‎12-04-2019 11:00 AM

Thanks all for your efforts.
but what is the wired thing happening, when i used the code from answers so far and execute with my search string. it works.
issue comes, when i creates the field and it shows successfully saved. but created field do not populated and missing in the left created field list. 😞

0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 10:01 PM

Like this:

|makeresults
| eval _raw="\"log\":\"{\\\"logType\\\":\\\"RESPONSE\\\",\\\"logLevel\\\":\\\"DEBUG\\\",\\\"logTimestamp\\\":\\\"2019-12-03T20:08:58.691Z\\\",\\\"logger\\\":\\\"Response\\\",\\\"label\\\":\\\"Response\\\",\\\"transaction\\\":{\\\"transactionId\\\":\\\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\\\",\\\"conversationId\\\":\\\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\\\",\\\"consumer\\\":\\\"m10582@sapmp.att.com\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"callingEntityIP\\\":\\\"10.233.64.0\\\",\\\"receivedTimestamp\\\":\\\"2019-12-03T20:08:58.675Z\\\",\\\"timeToLive\\\":0,\\\"timeout\\\":\\\"2019-12-03T20:08:58.675Z\\\"},\\\"runtime\\\":{\\\"hostName\\\":\\\"zlp25883\\\",\\\"ip\\\":\\\"10.233.77.162\\\",\\\"instance\\\":\\\"subscribernotificationprocess-3-0-2-default-6dcdffcc5f-vccqx\\\",\\\"clusterName\\\":\\\"PROD-ALPSGACT-SAPMP-0001\\\",\\\"namespace\\\":\\\"com-att-sapmp-prod\\\",\\\"image\\\":\\\"dockercentral.it.att.com:5100/com.att.sapmp/subscribernotificationprocess:3.0.2\\\",\\\"platformIdentifier\\\":\\\"AJSC7_RESTLET\\\",\\\"environment\\\":\\\"PROD\\\"},\\\"application\\\":{\\\"deploymentUnitName\\\":\\\"com.att.sapmp.SubscriberNotificationProcess\\\",\\\"motsApplicationAcronym\\\":\\\"26018\\\"},\\\"response\\\":{\\\"processedEndTimestamp\\\":\\\"2019-12-03T20:08:58.689Z\\\",\\\"responseSize\\\":0,\\\"responseMessage\\\":\\\"\\\",\\\"status\\\":\\\"COMPLETE\\\",\\\"statusCode\\\":\\\"200\\\",\\\"headers\\\":{\\\"X-ATT-UniqueTransactionId\\\":\\\"AjscCsiRestful46@N/A258ecf8b-106b-475d-9ba6-784e1205cce4\\\",\\\"X-ATT-ConversationId\\\":\\\"m10582@sapmp.att.com~CNG-CSI~0cb3c333-15ee-45cf-9a45-fc2fe3d21783\\\",\\\"X-Application-Context\\\":\\\"application:subscriber:8080\\\",\\\"Date\\\":\\\"Tue, 03 Dec 2019 20:08:58 GMT\\\",\\\"Server\\\":\\\"Restlet-Framework/2.3.12\\\"}}}\n\",\"stream\":\"stdout\",\"time\":\"2019-12-03T20:08:58.691596727Z\"}"
| rex "statusCode\\\\\":\\\\\"(?<statusCode>\d+)"
0 Karma
Reply

vnravikumar
Champion
‎12-03-2019 06:39 PM

Hi

Try this, temp is the field that contains entire log

| makeresults 
| eval temp="statusCode\":\"200\"," 
| rex field=temp "statusCode\":\"(?P<statusCode>[^\",]+)"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2019 01:57 PM

How about something like this? The "extra" backslashes are there because of additional escaping needed in SPL.

... | rex "statusCode\\\\\":\\\\\"(?<statusCode>\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

computermathguy
Path Finder
‎04-01-2022 12:24 PM

I had to use 4 backslashes to escape the URL's single backslash.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...