Solved: How to write a regular expression for my field?

sravankaripe · ‎02-01-2017

i want to extract field by regular expression. how can i write regular expression for the below one?

"responseCode":"200"

somesoni2 · ‎02-01-2017

Try this

your base search | rex "\"responseCode\":\"(?<response_code>\d+)"

Based on the same data, it seems your data may be json format and you can get the fields extracted automatically (or you can set that up). Is it a proper json?

View solution in original post

horsefez · ‎02-01-2017

Hi sravankaripe,

 | rex field=_raw "(?:.*responseCode\s?\:\s?)(?<response_code>\d+)"

Gives you a field with the name "response_code" with the specific value.

Let me know if it works and check out this great site
https://regex101.com

Regards,
pyro_wood

PS:.... god damn.... somesoni at it again, stealin my karma 😄

somesoni2 · ‎02-01-2017

Try this

your base search | rex "\"responseCode\":\"(?<response_code>\d+)"

Based on the same data, it seems your data may be json format and you can get the fields extracted automatically (or you can set that up). Is it a proper json?

How to write a regular expression for my field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation