Solved: How to use rex to isolate fields with double quote...

Foss · ‎03-29-2022

Hello I am trying to isolate 'msg' field with multiple quotes and when I use rex is either cannot grab what I need or it continues through the data and doesn't stop, thanks!

outcome="Success"msg="The "Account is trusted for delegation" property was modified from No to Yes"cs3="

I have tried | rex field=_raw "msg=\"(?<msg>[^\"]+)" with no success.

yuanliu · ‎03-29-2022

If you cannot predict how many quotes will appear in this "field", there is no general solution. Your best bet is to bet on that "cs3=" will follow "msg" field.

| rex "msg=\"(?<msg>.+)\"\s*cs3="

If that is not the case, you can try matching exactly even (0, 2, 4, ...) quotes inside quotes, like

| rex "msg=\"(?<msg>([^\"]+\"){0,2,4}[^\"]+)\""

View solution in original post

yuanliu · ‎03-29-2022

If you cannot predict how many quotes will appear in this "field", there is no general solution. Your best bet is to bet on that "cs3=" will follow "msg" field.

| rex "msg=\"(?<msg>.+)\"\s*cs3="

If that is not the case, you can try matching exactly even (0, 2, 4, ...) quotes inside quotes, like

| rex "msg=\"(?<msg>([^\"]+\"){0,2,4}[^\"]+)\""

Foss · ‎03-29-2022

thank you for the feedback, that worked nicely!

How to use rex to isolate fields with double quotes?

rex

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How to use rex to isolate fields with double quotes?

rex

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers