Solved: How to extract a field in using regex?

man03359 · ‎05-24-2023

I am relatively new to Splunk and I am trying to extracting fields in Splunk,

I have a pattern I am attempting to extract and put into a field. The pattern looks like this:

AdyenPaymentResponse::ProcessResponse::Response -> Result : Failure
AdyenPaymentResponse::ProcessResponse::Response -> Result : Success

I am using this expression to match the pattern:

| rex field=_raw "AdyenPaymentResponse:.*\sResult\s:(?<Status>)"

I have to keep "AdyenPaymentResponse" as the base search and I would like to extract this into a field called "Status" which shows only Failure or Success

ITWhisperer · ‎05-24-2023

Add the ".+" inside the brackets after <status>

View solution in original post

ITWhisperer · ‎05-24-2023

What is the question as this looks like it should work (although, depending on your data, you might want to use these slight modifications)

| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>)"

Strictly speaking, you don't need field=_raw as this is the default field for rex

man03359 · ‎05-24-2023

It is not creating a field, the regex I am using

ITWhisperer · ‎05-24-2023

You are right, I missed it too. You need to specify the pattern you want to be in the field

| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"

man03359 · ‎05-24-2023

What should I modify exactly?

ITWhisperer · ‎05-24-2023

Add the ".+" inside the brackets after <status>

man03359 · ‎05-24-2023

Thanks a lot 🙂 It worked 🙂 🙂

How to extract a field in using regex?

regex

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies