Splunk Search

Regex not working event after validating in regex101.com

macadminrohit
Contributor

This is my regex :

Test Name\","value":"(?.*)},{"key"

and my test string is :

{"key":"Test Name","value":"GET:Corp Ping Test"},{"key":"URL","value"

Basically i want to extract this set "GET:Corp Ping Test" , splunk doesnt extract anything in

Tags (1)
0 Karma
1 Solution

niketn
Legend

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

I think you are missing a name for your capture group. Try this:

Test Name\","value":"(?<myfield>.*)"},{"key"

I wasn't sure if you wanted the quote at the end so I removed it as well.

0 Karma

macadminrohit
Contributor

i missed that in my question, but actually was there in regex. I missed to add \ to mask the double quotes.

0 Karma

niketn
Legend

@macadminrohit you need to escape the double quotes inside rex command using backslash. Try the following if rex needs to be applied on _raw data

<yourBaseSearch>
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Following is a run anywhere search based on code snippet and clarification provided.

| makeresults
| eval _raw="{\"key\":\"Test Name\",\"value\":\"GET:Corp Ping Test\"},{\"key\":\"URL\",\"value\""
| rex ",\"value\":\"(?<value>[^\"]+)\"\}\,"

Please try out and confirm.

PS: Use the code button (101010 or shortcut Ctrl+K) on Splunk Answers for posting code, SPL, data to ensure that special characters do not escape. Alternatively you can add four spaces before each line of code/SPL/data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

macadminrohit
Contributor

Thanks Niket. It works like a charm 🙂

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...