got the following error

Hi @rajasplunk89,

regex is correct, as you can test in regex101, but sometimes in Splunk is required an additional backslash to escape the backslash in logs, please try this:

| rex "\"id\\\\":\\\\"(?<id>[^\\]+)"

 Ciao.

Giuseppe

It worked in Most cases
But some cases it pulled entire event

Is it Possible to filter even that?
What is the logic behind using //// 
could you please explain that too?

In the case you have highlighted, the language element does not appear immediately after the id element, so the extract gives what is between id and language (which is what you asked for). If you just want what is between the double quotes after the id tag try this

| rex "id\\\\\":\\\\\"(?<id>[^\\\]*)"

The backslashes are to escape the backslashes and the double quotes

Hi @rajasplunk89,

could you share the full event that is wrong?

Ciao.

Giuseppe

Some values are wrong If I use

rex "id\\\\\":\\\\\"(?<id>[^\\\]*)"


For example 52049d5f-23b4-4226-805d-4a210879b0aa is not Pulled whereas 4282b6b8-56dd-406d-8fbc-165b82a3f4d2 is getting Pulled

{"line":"d4a1bdc6f233db7d INFO 2021-06-09 19:35:45,010 [reactor-http-epoll-4] com.test.content.test.external.SnsPayloadEventSender Sent payload event id=daae6ff7-bf8f-5b42-9975-36cca5dfd502 for payload event={\"approvalDate\":\"2021-06-09T19:35:44.670Z\",\"audienceIds\":[\"4282b6b8-56dd-406d-8fbc-165b82a3f4d2\"],\"audienceTargets\":[{\"id\":\"4282b6b8-56dd-406d-8fbc-165b82a3f4d2\",\"type\":null}],\"collectionGroupId\":\"82a74ac1-c527-4470-b7b0-fb5f3ef3c2e2\",\"collections\":[\"90eef6b9-8a55-43cd-9aa8-73d29a55494b\"],\"endSchedule\":\"3000-01-01T19:00:00.000Z\",\"id\":\"52049d5f-23b4-4226-805d-4a210879b0aa\",\"language\":\"es-419\",\"mplace\":\"US\",\"nodeVersion\":null,\"payloadType\":\"thread\",\"preview\":false,\"resourceSubType\":\"thread\",\"resourceType\":\"thread\",\"startSchedule\":\"2021-06-11T21:00:57.000Z\",\"type\":\"PUBLISH\",\"version\":\"1623267340386\"}","source":"stdout","tag":"4d9520571148","attrs":{"application":"test","team":"test"}}

Hi @rajasplunk89,

please try this:

| rex max_match=1 "\"id\\\":\\\"(?<id>[^\\]+)"

Ciao.

Giuseppe

Got this error

| rex "\"id\\\\\":\\\\\"(?<id>[^\\\]*)"

Still getting the wrong value

{"line":"d4a1bdc6f233db7d INFO 2021-06-09 19:35:45,010 [reactor-http-epoll-4] com.test.content.test.external.SnsPayloadEventSender Sent payload event id=daae6ff7-bf8f-5b42-9975-36cca5dfd502 for payload event={\"approvalDate\":\"2021-06-09T19:35:44.670Z\",\"audienceIds\":[\"4282b6b8-56dd-406d-8fbc-165b82a3f4d2\"],\"audienceTargets\":[{\"id\":\"4282b6b8-56dd-406d-8fbc-165b82a3f4d2\",\"type\":null}],\"collectionGroupId\":\"82a74ac1-c527-4470-b7b0-fb5f3ef3c2e2\",\"collections\":[\"90eef6b9-8a55-43cd-9aa8-73d29a55494b\"],\"endSchedule\":\"3000-01-01T19:00:00.000Z\",\"id\":\"52049d5f-23b4-4226-805d-4a210879b0aa\",\"language\":\"es-419\",\"mplace\":\"US\",\"nodeVersion\":null,\"payloadType\":\"thread\",\"preview\":false,\"resourceSubType\":\"thread\",\"resourceType\":\"thread\",\"startSchedule\":\"2021-06-11T21:00:57.000Z\",\"type\":\"PUBLISH\",\"version\":\"1623267340386\"}","source":"stdout","tag":"4d9520571148","attrs":{"application":"test","team":"test"}}

Thanks a lot It worked
Could you please explain the Logic
Why so many Back slashes used ? Which backslash avoids which one

rex takes a double-quoted string, this means if it contains a double quote, this needs to be escaped so it doesn't close the string. The escaping character is a backslash. This also means that backslashes have to be escaped with another backslash. The string you are searching also has escaped double quotes, so the match string needs to escape the escape and escape the double quote. That would get you to the point where the match string would work in regex101.com. However, is appears that the way splunk parses the spl, it requires a further 2 backslashes for each escaped original backslash. So, you can see that the backslashes keep piling up.