Solved: How to extract a field with special characters?

mugilbala · ‎05-17-2018

Hi,

I have a log statement that prints service execution time like -

Service Response : {"entity":"{\"transactionId\":\"39182d7a-7f34-4c28-a0f2-9b42b9b206df\",\"executionTimeInMillis\":112,"status":201}

I am trying to extract the value of "executionTimeInMillis".

My search statement - index="xyz" "Service Response :" | search "\"executionTimeInMillis\"\":"(?exeTime[^\$]*)," | table _time, exeTime
Note: I have added <> to exeTime. It is not showing in the question.

However, it did not show any results. Can you help me with this query?

somesoni2 · ‎05-17-2018

The field extraction command is rex, not search. There may be few issues with your regex, e.g. there is no double quotes after colon. So try this

index="xyz" "Service Response :" | rex "\"executionTimeInMillis[^\:]+\:\s*(?<exeTime>[^,]+)" | table _time, exeTime

View solution in original post

somesoni2 · ‎05-17-2018

The field extraction command is rex, not search. There may be few issues with your regex, e.g. there is no double quotes after colon. So try this

index="xyz" "Service Response :" | rex "\"executionTimeInMillis[^\:]+\:\s*(?<exeTime>[^,]+)" | table _time, exeTime

mugilbala · ‎05-17-2018

Thank you so much. It worked. Appreciate your help.

How to extract a field with special characters?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to extract a field with special characters?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...