Solved: Re: Rex Not Extracting All Data - Page 2

IRHM73 · ‎10-21-2015

HI,

I wonder whether someone could help me please.

I'm trying to extract the first name from the data as shown below:

 [{"name":{"current":{"firstName":"M","lastName":"SMITH"}},"ids":{"nino":"AA111111A"},"dateOfBirth":"26121973"}]

So I've put together the following rex:

rex field="detail.output-cid-response" "\"firstName\":\"(?<cidFName>[^\"]+)"

The problem I have is that although there is data there, it is not extracting the "cidFName" for all the records and to be honest I'm at a loss why.

Could someone perhaps shed some light on where I'm going wrong please.

Many thanks and kind regards

Chris

wpreston · ‎10-21-2015

Can you try this one?

rex field="detail.output-cid-response" "firstName\\\":\\\"(?<cidFName>[^\\]+)\\"

View solution in original post

IRHM73 · ‎10-21-2015

Hi please find a little more of my log:

{"output-cid-response":"[{\"name\":{\"current\":{\"firstName\":\"ESTELLE\",\"lastName\":\"CRICHTON\"}},\"ids\":{\"sautr\":\"2354290204\",\"nino\":\"ZA631419C\"},\"dateOfBirth\":\"04111923\"}]"

I also don't see a problem with Regex, because I've been using Regex101 to check this.

I hope this helps.

Many thanks and kind regards

Chris

renatobamorim · ‎10-21-2015

try use rex field=_raw

Rex Not Extracting All Data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation