For the following log, I would like to filter by a string. I would have to extract the string using regex.
traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_SEND_MACBOOKS\",\"commands\.....}
traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_OPEN_MACBOOKS\",\"commands\.....}
My Splunk query is as follows.
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\"\:\\"(?<codes>.{20})" | where codes=ABC_DEF_SEND_MACBOOKS
But splunk throws the below error related to regex
Error in 'rex' command: Encountered the following error while compiling the regex 'code\\:\(?<codes>.{20})': Regex: unmatched closing parenthesis
When I checked the regex in regex101.com, the output for codes
is as expected.
What is wrong with the parenthesis in this case?
try this:
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"
in your where condition you also need to have your string within quotes like above
try this:
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"
in your where condition you also need to have your string within quotes like above
my guess is reason of failure is due to you not escaping double quotes "
Try something like..
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\\"\:\\\"(?<codes>.{20})"
cheers