Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex not working event after validating in regex101.com

macadminrohit
Contributor
‎05-10-2018 11:44 AM

This is my regex :

Test Name\","value":"(?.*)},{"key"

and my test string is :

{"key":"Test Name","value":"GET:Corp Ping Test"},{"key":"URL","value"

Basically i want to extract this set "GET:Corp Ping Test" , splunk doesnt extract anything in

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 11:56 AM

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-10-2018 12:04 PM

I think you are missing a name for your capture group. Try this:

Test Name\","value":"(?<myfield>.*)"},{"key"

I wasn't sure if you wanted the quote at the end so I removed it as well.

0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎05-10-2018 02:14 PM

i missed that in my question, but actually was there in regex. I missed to add \ to mask the double quotes.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-10-2018 11:56 AM

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎05-10-2018 12:06 PM

Thanks Niket. It works like a charm 🙂

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...