Splunk Search

Regex not working event after validating in regex101.com

macadminrohit
Contributor

This is my regex :

Test Name\","value":"(?.*)},{"key"

and my test string is :

{"key":"Test Name","value":"GET:Corp Ping Test"},{"key":"URL","value"

Basically i want to extract this set "GET:Corp Ping Test" , splunk doesnt extract anything in

Tags (1)
0 Karma
1 Solution

niketn
Legend

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

I think you are missing a name for your capture group. Try this:

Test Name\","value":"(?<myfield>.*)"},{"key"

I wasn't sure if you wanted the quote at the end so I removed it as well.

0 Karma

macadminrohit
Contributor

i missed that in my question, but actually was there in regex. I missed to add \ to mask the double quotes.

0 Karma

niketn
Legend

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

macadminrohit
Contributor

Thanks Niket. It works like a charm :slightly_smiling_face:

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...