Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a field within quotes and extract its value based on the following second set of quotes?

dernst
New Member
‎02-10-2016 03:49 PM

Hi Guys,

I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?

"user" : "11111111"
0 Karma
Reply

Deepz2612
Explorer
‎12-16-2017 04:30 AM

Hi ,

For logs such as below please help me in extracting the data enclosed within double quotes.

Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"

I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :
Dealership_Name
Amery
US
but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also.

0 Karma
Reply

niketn
Legend
‎12-16-2017 05:55 AM

@Deepz2612, please post a new question. Also for Sample Data and SPL please use code button (101010) on Splunk Answers so that special character does not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-10-2016 04:44 PM

Hi dernst,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html which provides an example to the same question. You simply have to use this "([^"]+)"\s:\s"([^"]+)" as your regex in transforms.conf.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...