How to extract a field within quotes and extract i...

dernst · ‎02-10-2016

Hi Guys,

I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?

"user" : "11111111"

Deepz2612 · ‎12-16-2017

Hi ,

For logs such as below please help me in extracting the data enclosed within double quotes.

Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"

I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :
Dealership_Name
Amery
US
but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also.

niketn · ‎12-16-2017

@Deepz2612, please post a new question. Also for Sample Data and SPL please use code button (101010) on Splunk Answers so that special character does not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MuS · ‎02-10-2016

Hi dernst,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html which provides an example to the same question. You simply have to use this "([^"]+)"\s:\s"([^"]+)" as your regex in transforms.conf.

Hope this helps ...

cheers, MuS

How to extract a field within quotes and extract its value based on the following second set of quotes?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor