How to remove ( \" ) characters from search?

MrIncredible · ‎01-09-2023

In few logs I can see escape character is also printed. My rex is working fine when i am testing it on regex101.com but when i use the same in Splunk Search, its throwing error. I tried different combination by putting quotes but then different error comes.

Regex: https://regex101.com/r/Nm32kd/2

Splunk error:

MrIncredible · ‎01-09-2023

@gcuselloThanks for your reply. Its not throwing error now though not extracting eligibiltyStatus field as well.

gcusello · ‎01-10-2023

Hi @MrIncredible,

please try this regex:

| rex "eligibiltyStatus\\\": \\\"(?<eligibiltystatus>[^\\]+)"

Ciao.

Giuseppe

MrIncredible · ‎01-10-2023

@gcusello

error:

and if i did some changes (marked in yellow) in regex, not getting error but also not getting desired result:

gcusello · ‎01-09-2023

Hi @MrIncredible,

try to add another backslash to your regex in Splunk:

| rex "eligibiltyStatus\\\": \\\"(?<eligibiltystatus>.*?)\\\"\,\\n"

ciao.

Giuseppe

How to remove ( \" ) characters from search?

field extraction

regex

rex

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas