- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex Working in Regex Tester But Not in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I've put together this regex which works perfectly in Regex101:
\"loggedInAt":\"(?<LoggedIn>[^\"]+)
This correctly extracts the 'loggedInAt' value from the raw data as shown below:
{"uri":"/auth/oid/4a1f00001b00002eb5","loggedInAt":"2015-10-18T18:30:34.976Z","credentials":{"gatewayId":"0000000"},"accounts":{"iht":{"link":"/iht/AA112456","nino":"AA111111A"},"sa":{"link":"/individual/12345678","ur":12345678"},"taxs":{"link":"/taxs/12345678","ur":"12345678"}},"lastUpdated":"2015-10-18T18:30:34.976Z","levelOfAssurance":"2","confidenceLevel":500}.
I then use this line in my Splunk query.
| rex field="detail.authority" ""\"loggedInAt":\"(?<LoggedIn>[^\"]+)"
The problem I have is that when I come to add "LoggedIn" to my table the relevant information is not being extracted and I'm nit sure why.
I just wondered whether someone could look a this please and let me know where I've gone wrong.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
I think I've found where your problem is. It's just the matter of placing the double quote character. Your rex was like this:
.. | rex field="detail.authority" ""\"loggedInAt":\"(?<LoggedIn>[^\"]+)"
I tried in my local environment using your sample data and it clearly was not working. So, I altered the rex into something like this:
.. | rex field="detail.authority" "\"loggedInAt\":\"(?<LoggedIn>[^\"]+)\""
The things I've tweaked are:
- Remove the first double quote
- Add backslash to the double quote after loggedInAt
- Add backslash to the last double quote and add another double quote at the end
This should solve your problem.
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
I think I've found where your problem is. It's just the matter of placing the double quote character. Your rex was like this:
.. | rex field="detail.authority" ""\"loggedInAt":\"(?<LoggedIn>[^\"]+)"
I tried in my local environment using your sample data and it clearly was not working. So, I altered the rex into something like this:
.. | rex field="detail.authority" "\"loggedInAt\":\"(?<LoggedIn>[^\"]+)\""
The things I've tweaked are:
- Remove the first double quote
- Add backslash to the double quote after loggedInAt
- Add backslash to the last double quote and add another double quote at the end
This should solve your problem.
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vincenteous, thank you very much for this it works a treat.
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk has some issues with double quotes inside double quotes, at least thats what I've experienced before. Therefore I always try to avoid using them in rexes. Try this one:
| rex "loggedInAt\W\:\W(?<VALUE>.*?)\W,"
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
