Splunk Search
Highlighted

Need help with rex extraction including double quotes and slashes

New Member

Hi,

I am currently trying to extract the numbers from this field example:

message.data

... {\"MyID\":\"111111\", ...

so I wrote the following rex expression, with no results:

rex field=message.data "\\\"MyID\\\":\\\"(?<MyID>\d+)\\\""

I have tried different amounts of slashes, and I am confident that the section inside the parentheses is correct for my needs.

0 Karma
Highlighted

Re: Need help with rex extraction including double quotes and slashes

SplunkTrust
SplunkTrust

Please use the code function while selecting the regex to keep formatting; code can be applied by clicking the 101010 icon or pressing CTRL-k

cheers, MuS

0 Karma
Highlighted

Re: Need help with rex extraction including double quotes and slashes

SplunkTrust
SplunkTrust

Give this a try

....  | rex field=message.data "\"MyID([^\"]+\"){2}(?<MyID>\d+)"

View solution in original post

0 Karma
Highlighted

Re: Need help with rex extraction including double quotes and slashes

New Member

This worked for me. Thanks!

0 Karma