Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract a field from my raw data using rex?

alexspunkshell
Contributor
‎04-20-2022 08:11 AM

Below is my raw logs.

I want to extract "analystVerdict" & its corresponding result from raw logs. can someone please help

 

\"mitigationStartedAt\": \"2022-04-13T03:57:58.393000Z\", \"status\": \"success\"}], \"threatInfo\": {\"analystVerdict\": \"false_positive\", \"analystVerdictDescription\": \"False positive\", \"automaticallyResolved\": false, \"browserType\": null, \"certificateId\": \"\", \"classification\": \"Malware\",

 

I tried below. But i am failing to get the result

index=test_summary  | rex field=_raw ":\\\"(?<analystVerdict>\w+)\\\"" |table search_name analystVerdict

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2022 08:54 AM 
| rex "analystVerdict\\\\\":\s+\\\\\"(?<analystVerdictDescription>[^\\\\\"]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2022 08:54 AM 
| rex "analystVerdict\\\\\":\s+\\\\\"(?<analystVerdictDescription>[^\\\\\"]+)"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-20-2022 08:16 AM

Hi @alexspunkshell,

please try this regex:

| rex "analystVerdictDescription\\\":\s+\\\"(?<analystVerdictDescription>[^\"]+)"

that you can test at https://regex101.com/r/IjwJYM/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎04-20-2022 08:34 AM

@gcusello  Thanks for your help

I tried but the field is empty in my results. But the raw logs is having the values.

alexspunkshell_0-1650469176646.png

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-20-2022 08:45 AM

Hi @alexspunkshell,

sometimes I found a behaviour in Splunk different than regex101, so please try this:

| rex "analystVerdictDescription\\\\":\s+\\\\"(?<analystVerdictDescription>[^\"]+)"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎04-20-2022 08:48 AM

Still the same

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎04-20-2022 08:38 AM
If you really have that \ as an escape character on your data, you should add could of more \ character on your rex. There reason is that internally there are couple of places where splunk do that de-escaping and for that reason sometimes you need to do it double or triple times.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...