Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Help

brajaram
Communicator
‎01-08-2018 03:28 PM

Hi,

Struggling yet again with another regex. The sample string looks like the following:

.........,"errorCode":"500113"}, .......

As part of a whole JSON response.

If I take that JSON and put it into regex101, I can use the following rex to correctly capture the code

"errorCode\":(.*?)},

However, I'm not sure how to turn that into a rex command to parse out the field. If I simply replace the .* with ?<> with a field name inside the brackets it errors out, and in fact I can't ever get it to not throw an error.

How do I turn an accurate regular expression(at least from my testing using online regular expression tools) into a rex command to capture a field in Splunk?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-08-2018 03:31 PM

Don't replace .* with ?<fieldName>. You add ?<fieldName> after your (, like:

"errorCode\":(?<errorCode>.*?)},

Full rex (alteration to exclude double quotes from the extracted value):

| rex "\"errorCode\":\"(?<errorCode>.*?)\"},"

Probably better version, which specifies that errorCode can't contain ":

| rex "\"errorCode\":\"(?<errorCode>[^\"]+)\"},"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-08-2018 03:31 PM

Don't replace .* with ?<fieldName>. You add ?<fieldName> after your (, like:

"errorCode\":(?<errorCode>.*?)},

Full rex (alteration to exclude double quotes from the extracted value):

| rex "\"errorCode\":\"(?<errorCode>.*?)\"},"

Probably better version, which specifies that errorCode can't contain ":

| rex "\"errorCode\":\"(?<errorCode>[^\"]+)\"},"
0 Karma
Reply
Solved! Jump to solution

brajaram
Communicator
‎01-08-2018 03:41 PM

Ahh, thanks for the explanation! Works perfectly. Appreciate the help!

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎01-09-2018 04:15 AM

The feeling you have when you are too late to a regex question :S

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...