HI ,
I want to extract serialNumber value from the logs. Below is the sample logger
\"serialNumber\" : \"A1BZD2C5HD29\".
I tried using the below expression to extract the serial Number from the logs. The regular expression mentioned in the quotes is performing right in the regex101 site but it is not
rex field=response "\\\"serialNumber\\\"\s+:\s+\\\"(?<srLNumber>\w+)"
Below is the complete sample response object (pasting , as it may be because of the text arrangement in the object)
response="
{
\"FetchedDetails\" : {
\"TimeStamp\" : \"312345677122199\",
\"serialNumber\" : \"C12SDJGRHLND7\"
}
}"
The size of the serial number can vary to any length and it would contain only alphanumeric characters.
I tried multiple options else like using .+ instead of \w+  but it did not work.
An advice to select the serial number is appreciable.
Thanks
 
					
				
		
I cannot believe that we are still rehashing this. This generates a sample event/field:
|makeresults | eval response="response=\"
{
\\\"FetchedDetails\\\" : {
\\\"TimeStamp\\\" : \\\"312345677122199\\\",
\\\"serialNumber\\\" : \\\"C12SDJGRHLND7\\\"
}
}\""
You can use RegEx like this:
... | rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"
Or get everything like this:
... | rename response AS _raw
| rex mode=sed "s/^response=\"[\r\n]+// s/[\r\n]+}\"$// s/\\\\\"/\"/g"
| kv
 
					
				
		
Session ID         : hLwfKyKGuiq0Pk2GjO4IPKPe
User Name          : admin
Creation Time      : Wed Aug 14 09:40:00 GST 2019
Last Accessed Time : Wed Aug 14 09:40:00 GST 2019
Session ID         : B3pJDeEwH+yi7sMzrdsGXfoQ
User Name          : user
Creation Time      : Wed Aug 14 09:40:00 GST 2019
Last Accessed Time : Wed Aug 14 09:40:00 GST 2019
?
Below is the complete sample response object (pasting , as it may be because of the text arrangement in the object)
response="
{
  \"FetchedDetails\" : {
    \"TimeStamp\" : \"312345677122199\",
    \"serialNumber\" : \"C12SDJGRHLND7\"
  }
}"
 
					
				
		
Give this a try
your base search | rex field=response "serialNumber[^\"]+\"\s*\:\s*[^\"]+\"(?<serialNumber>[^\"]+)"
@somesoni2: Thanks for replying .
This also did not work. I tried removing the additional '\"' after a group search [^\"]+ but no luck 
 
					
				
		
So its not capturing anything, capturing wrong/incomplete?
its not capturing anything
 
					
				
		
Try using the hex value for backslash instead of dealing with the escape sequences.
| rex field=response "\x5c\"serialNumber\x5c\"\s*:\s*\x5c\"(?<srLNumber>\w+)"
If you need to go event more extreme, try the hex values for double quotes as well.
| rex field=response "\x5c\x22serialNumber\x5c\x22\s*:\s*\x5c\x22(?<srLNumber>\w+)"
@rjthibod: Thanks for replying, I tried both combination and it did not work
 
					
				
		
You need 2 more backslashes in each spot. This works:
This fakes the data:
|makeresults | eval response="\\\"serialNumber\\\" : \\\"A1BZD2C5HD29\\\"."
This is your solution:
| rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"
@woodcock: Thanks for replying.
This also did not work. It is working only if I keep the same serial number "A1BZD2C5HD29"
I tried using \w+ instead of the serial number
 
					
				
		
The solution is this part:
... | rex field=response "\\\\\"serialNumber\\\\\"\s+:\s+\\\\\"(?<srLNumber>\w+)"
The other stuff was faking the data.
 
					
				
		
This absolutely does work.
 
		
		
		
		
		
	
			
		
		
			
					
		Weird I just did one earlier that only needed a single backslash for quotes and backslashes...
 
		
		
		
		
		
	
			
		
		
			
					
		Are you sure this is the "response" field in your data? Have you tried removing field=response?
@jkat54 : Thanks for replying. Yes, I am sure this is in the response object.
By the way , I have tried with _raw field as well that also did not fetch the result.
