Solved: Re: I'm trying to extract field That looks like be...

PavanSeerapu · ‎09-10-2021

I'm trying to extract field That looks like "Alert-source-key":"[\"abcdd-gdfc-mb40-a801-e40fd9db481e\"]"

I have tried this "Alert-source-key":"(?P<Alert_key>[^"]+)" but i'm getting results like "[/" since it is checking for only

richgalloway · ‎09-13-2021

This regex works in regex101.com and should also work in the Field Extractor.

Alert-source-key":"\[\\"(?<AlertSource>[^\\]+)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

PavanSeerapu · ‎09-13-2021

What exactly are you trying to extract from that string? -- abcdd-gdfc-mb40-a801-e40fd9db481e

I'm using field extractor through splunk web and writing the regular expression by myself

isoutamo · ‎09-13-2021

This seems to work

| makeresults 
| eval foo = "\"Alert-source-key\":\"[\\\"abcdd-gdfc-mb40-a801-e40fd9db481e\\\"]\"" 
| rex field=foo "\"Alert-source-key\":\"\[\\\\\"(?P<Alert_key>[^\"\\\]+)"

In this kind of cases there are needed "couple" of escapes \.

r. Ismo

richgalloway · ‎09-13-2021

This regex works in regex101.com and should also work in the Field Extractor.

Alert-source-key":"\[\\"(?<AlertSource>[^\\]+)

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-10-2021

What exactly are you trying to extract from that string? Where and how are you doing so?

If you're trying to extract the field using the rex command in a search then the embedded quotation marks must be escaped.

---
If this reply helps you, Karma would be appreciated.

I'm trying to extract field That looks like below

field extraction

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?