Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rex not yielding result

harryhcg
Explorer
‎09-05-2023 10:05 PM

Data: {"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6............

 

Want to extract new field highlighted above but not getting any result. 

 

This is what I tried:

| rex field=_raw "RETURN\\\"\:\\\"(?<Field2>[^\\]+)"

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 11:43 PM

Hi @harryhcg,

this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) .

About your regex, try to add another backslash to your regex:

| rex "RETURN\\\\"\:\\\\"(?<Field2>[^\\]+)"

Ciao.

Giuseppe

0 Karma
Reply

harryhcg
Explorer
‎09-06-2023 01:50 AM

Regarding regex suggestion, still have issue. 

Error - Regex: missing terminating ] for character class.

 

Analysing raw data to use spath. Thank you @gcusello @yuanliu 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-06-2023 11:31 PM

If you have to use regex, you will need more backslashes.

| rex "@RETURN\\\\\":\\\\\"(?<Field2>[^\\\]+)"
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 01:59 AM

Hi @harryhcg ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply

harryhcg
Explorer
‎09-06-2023 02:03 AM

Single field extraction still wondering why it didn't work. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 11:34 PM

Hi @harryhcg,

as also @yuanliu hinted, you have to add another backslash to the regex:

| rex "RETURN\\\\\"\:\\\\\"(?<Field2>[^\\]+)"

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-05-2023 11:19 PM

As I always tell people, do not treat structured data as plain text, and rex is not the right tool for JSON.

Looking at your illustration, I am convinced that your original data is fully compliant; the field message3.TEXT embeds an escaped, fully compliant JSON message with some leading text.  Like thus

 

{"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6\":null}}}"}}

 

As such, you can use this to directly access the field RETURN

 

| eval TEXT = replace('message3.TEXT', "^[^{]+", "")
| spath input=TEXT path="xxxxx.@RETURN" output=Field2

 

 The illustrated data will give something like

Field1Field2message1message2message3.TEXT
xxxxxxx-xxxxxxxxxx-xx-xxxxx{0}xxxxxxx: xxx .xxxxx: {"xxxxx":{"@CDI":"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 ","@RETURN":"xxxx-xxxxxxxxxx-xx-xxxxx","@message4":"xxxxxx:xxx","message5":{"message6":null}}}

Here is an emulation you can play with and compare with raw data

 

| makeresults
| eval _raw = "{\"Field1\":\"xxx\",\"message1\":\"{0}\",\"message2\":\"xxx\",\"message3\":{\"TEXT\":\"xxxx: xxx\\r\\n.xxxxx: {\\\"xxxxx\\\":{\\\"@CDI\\\":\\\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \\\",\\\"@RETURN\\\":\\\"xxxx-xxxxxxxxxx-xx-xxxxx\\\",\\\"@message4\\\":\\\"xxxxxx:xxx\\\",\\\"message5\\\":{\\\"message6\\\":null}}}\"}}"
| spath
``` data emulation above ```

 

 

Tags (1)
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:15 AM

While I wholeheartedly agree with the "don't use regex for structured data" it's worth noting that sometimes it's not easy to extract the structured part from the whole event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...