Hi @gcusello @yuanliu @ITWhisperer 

my usecase is like the values under ipblock/adaptive should extract under new filed name including  ipblock value as well in that new field name.

 "tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

Output: under new field name eg. ip_attack

IPBLOCK

BURST

SUMMARY

thanks.

You can use mvindex to extract the last part of a path.

| eval tag = mvindex(split(tag, "/"), -1)

As @gcusello, you should start a new post when you change substance. 

Hi @balu1211,please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<ip_attack>\w+)\""

that you can test at https://regex101.com/r/dEkQF3/1

Ciao.

Giuseppe

...

...

Hi @balu1211,

I thought that the one you shared was your event!

could you share (in text format not screenshot) the event for field extraction?

Ciao.

Giuseppe

....

Hi @balu1211,

the regex I shared correctly extract the tag field also with this source, what's the problem?

Ciao.

Giuseppe

.............

@balu1211I am glad you finally started to explain what you are trying to do in the other thread Re: Help with the field extraction and regex. So, based on this, you have a conformant JSON, therefore you must already have a field named tag that is extracted already. Applying the same technique from the other thread,

| rex field=tag mode=sed "s/AKAMAI\/(\w+)\/(.+)/AKAMAI_\1=\"\2\"/"
| rex field=tag mode=sed "s/ASE\/(\w+)\/(.+)/ASE\/\1=\"\2\"/"
| rex field=tag mode=sed "s/(IPBLOCK\/.+)/ip_Attack=\"\1\"/"
| rex field=tag mode=sed "s/(CUSTOM_AKA\/.+)/Custom_Rules=\"\1\"/"
``` convert structured paths to key-value pairs ```
| rename _raw as temp, tag as _raw ``` extract works on _raw only ```
| kv ``` extract key-value pairs ```
| rename temp as _raw

This is the same formula I posted there, except it was never clear that you had a field named "tag" and that the data was somehow related to your initial question.

Hi @balu1211 ,

this is a regex to extract the tag vales:

| rex "\"tag\":\"(?<tag>[^\"]*)"

that you can test at https://regex101.com/r/mGxdvh/1

Anyway, as hinted by @ITWhisperer, I hint to explore the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) to extract all the fields from your json file.

Ciao.

Giuseppe

Try something like this

| spath attackData.rules{}.tag output=tag
| mvexpand tag
| rex field=tag "(?<name>.*)/.*?"
| eval name=coalesce(name,tag)
| eval {name}=tag

@yuanliu @ITWhisperer @gcusello 

Hi,

Could you help me out to extract these field to make it as a global.

"tag":"IPBLOCK"
"tag":"IPBLOCK/ADAPTIVE/BURST"
"tag":"IPBLOCK/ADAPTIVE/SUMMARY"

I want to extract these marked in red color in one new field name as  ip_block.

thanks.

Hi @balu1211,

please try this:

| rex "\"tag\":\"(\w*\/\w*\/)*(?<tag>[^\"]+)"

but it's always better to create a new question for a new issue.

Ciao.

Giuseppe

What have you tried so far?

Hi My usecase is field extraction not the search pls help in extracting the fields from the events i mentioned above.

Thanks

@ITWhisperer

What have you already tried?