Solved: How to extract data using rex? - Splunk Community

Splunk Search

Hi all,

I am having data as follows:

REPORT RequestId: xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1

i want a field as CorrelationId3 which is having xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 value

1 Solution

Solution

Edited the first answer and should work for space and tabs

|rex "RequestId:\s+(?<CorrelationId3>[^\s]+)"

If the format of the string is only letters,numbers and - then ,you may use

|rex "RequestId:\s+(?<CorrelationId3>[a-z0-9A-Z-]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

thank you @renjith_nair for help. now im again trying to extract correlation_id as CorrelationId4.

{"data":{"correlation_id":"51g0d88f-3ab8-4mom-betb-b31ed6e1662z","u_originator_uri"

i used following query to extract value:

 | rex "\{\"correlation\_id\"\:\"(?<CorrelationId4>[^\<]*)\s*\""

but now, i am not getting field as CorrelationId4. request you to guide further on this

try

correlation_id\":\"(?<CorrelationId4>[^\"]+)

---
What goes around comes around. If it helps, hit it with Karma 🙂

i have tried

| rex "correlation_id\\":\\"(?<CorrelationId4>[^\"]+)\\"

but it gives me error as

Error in 'rex' command: Encountered the following error while compiling the regex 'correlation_id\:\(?<CorrelationId4>[^"]+)\': Regex: unmatched closing parenthesis.

1. You dont need to use \\ but only single \

2. The last quote (") should not be escaped with \\

Please see below sample

|makeresults|eval _raw="{\"data\":{\"correlation_id\":\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri\""
|rex "correlation_id\":\"(?<CorrelationId4>[^\"]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

not getting the data

not getting the data.

what if data is like:

"{\"data\":{\"correlation_id:\"51g0d88f-3ab8-4mom-betb-b31ed6e1662z\",\"u_originator_uri

Do you have any characters/strings after the value ?

your search
|rex "RequestId:\s+(?<CorrelationId3>.*)"

If you have any chars after the value , add them after the last parenthesis (")")

---
What goes around comes around. If it helps, hit it with Karma 🙂

there is more raw data after xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'.

after using using your query, i'm getting data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1 Duration ---'

but i want data as 'xxxx2722-xx0d-xx35-95xx-xxxxxxb6b2e1'

As mentioned, have you tried adding that string after the parenthesis?

|rex RequestId:\s+(?<CorrelationId3>[^\s]+)

---
What goes around comes around. If it helps, hit it with Karma 🙂

yes, but still not getting right answer. i guess there is tab space rather than blank space before Duration. if tab, then how to write that?

Solution

Edited the first answer and should work for space and tabs

|rex "RequestId:\s+(?<CorrelationId3>[^\s]+)"

If the format of the string is only letters,numbers and - then ,you may use

|rex "RequestId:\s+(?<CorrelationId3>[a-z0-9A-Z-]+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...