Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rex not yielding result

harryhcg
Explorer
‎09-05-2023 10:05 PM

Data: {"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6............

 

Want to extract new field highlighted above but not getting any result. 

 

This is what I tried:

| rex field=_raw "RETURN\\\"\:\\\"(?<Field2>[^\\]+)"

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2023 11:43 PM

Hi @harryhcg,

this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) .

About your regex, try to add another backslash to your regex:

| rex "RETURN\\\\"\:\\\\"(?<Field2>[^\\]+)"

Ciao.

Giuseppe

0 Karma
Reply

harryhcg
Explorer
‎09-06-2023 01:50 AM

Regarding regex suggestion, still have issue. 

Error - Regex: missing terminating ] for character class.

 

Analysing raw data to use spath. Thank you @gcusello @yuanliu 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-06-2023 11:31 PM

If you have to use regex, you will need more backslashes.

| rex "@RETURN\\\\\":\\\\\"(?<Field2>[^\\\]+)"
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 01:59 AM

Hi @harryhcg ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply

harryhcg
Explorer
‎09-06-2023 02:03 AM

Single field extraction still wondering why it didn't work. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2023 11:34 PM

Hi @harryhcg,

as also @yuanliu hinted, you have to add another backslash to the regex:

| rex "RETURN\\\\\"\:\\\\\"(?<Field2>[^\\]+)"

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-05-2023 11:19 PM

As I always tell people, do not treat structured data as plain text, and rex is not the right tool for JSON.

Looking at your illustration, I am convinced that your original data is fully compliant; the field message3.TEXT embeds an escaped, fully compliant JSON message with some leading text.  Like thus

 

{"Field1":"xxx","message1":"{0}","message2":"xxx","message3":{"TEXT":"xxxx: xxx\r\n.xxxxx: {\"xxxxx\":{\"@CDI\":\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \",\"@RETURN\":\"xxxx-xxxxxxxxxx-xx-xxxxx\",\"@message4\":\"xxxxxx:xxx\",\"message5\":{\"message6\":null}}}"}}

 

As such, you can use this to directly access the field RETURN

 

| eval TEXT = replace('message3.TEXT', "^[^{]+", "")
| spath input=TEXT path="xxxxx.@RETURN" output=Field2

 

 The illustrated data will give something like

Field1Field2message1message2message3.TEXT
xxxxxxx-xxxxxxxxxx-xx-xxxxx{0}xxxxxxx: xxx .xxxxx: {"xxxxx":{"@CDI":"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 ","@RETURN":"xxxx-xxxxxxxxxx-xx-xxxxx","@message4":"xxxxxx:xxx","message5":{"message6":null}}}

Here is an emulation you can play with and compare with raw data

 

| makeresults
| eval _raw = "{\"Field1\":\"xxx\",\"message1\":\"{0}\",\"message2\":\"xxx\",\"message3\":{\"TEXT\":\"xxxx: xxx\\r\\n.xxxxx: {\\\"xxxxx\\\":{\\\"@CDI\\\":\\\"@ABC-123G-dhskdd-ghdkshd122@hkfhksdf12-djkshd12-hkdshd12 \\\",\\\"@RETURN\\\":\\\"xxxx-xxxxxxxxxx-xx-xxxxx\\\",\\\"@message4\\\":\\\"xxxxxx:xxx\\\",\\\"message5\\\":{\\\"message6\\\":null}}}\"}}"
| spath
``` data emulation above ```

 

 

Tags (1)
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:15 AM

While I wholeheartedly agree with the "don't use regex for structured data" it's worth noting that sometimes it's not easy to extract the structured part from the whole event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...