Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex not working event after validating in regex101.com

macadminrohit
Contributor
‎05-10-2018 11:44 AM

This is my regex :

Test Name\","value":"(?.*)},{"key"

and my test string is :

{"key":"Test Name","value":"GET:Corp Ping Test"},{"key":"URL","value"

Basically i want to extract this set "GET:Corp Ping Test" , splunk doesnt extract anything in

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 11:56 AM

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-10-2018 12:04 PM

I think you are missing a name for your capture group. Try this:

Test Name\","value":"(?<myfield>.*)"},{"key"

I wasn't sure if you wanted the quote at the end so I removed it as well.

0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎05-10-2018 02:14 PM

i missed that in my question, but actually was there in regex. I missed to add \ to mask the double quotes.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 11:56 AM

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎05-10-2018 12:06 PM

Thanks Niket. It works like a charm 🙂

Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...