Splunk Rex: Extracting fields of a string into a C...

rczone · ‎11-19-2019

I'm a newbie to SPlunk REX trying to do some dashboards and need help in extracting fields of a particular variable
i read old articles in SPlunk old questions but couldn't figured it out..
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column

Expected output: as a table

KB_Listed
KB000119050,KB000119026,KB000119036

i have tried:

| `rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""`

Message Snippet below:

svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},""

richgalloway · ‎11-19-2019

Try ... | rex "KB_List":"(?<KB_Listed>[^"]+)"

---
If this reply helps you, an upvote would be appreciated.

rczone · ‎11-19-2019

Error in 'SearchParser': Mismatched ']'. @richgalloway

mayurr98 · ‎11-19-2019

escape "

try :

| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

rczone · ‎11-19-2019

@mayurr98 returning none ...

| rex "KB_List\":\"(?[^\"]+)" | table KB_list

rczone · ‎11-19-2019

@mayurr98 | rex "KB_List\":\"(?[^\"]+)" | table KB_Listed this worked..thanks a ton

mayurr98 · ‎11-19-2019

try this:

.. | rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

you are not putting the extracted value in the field. Copy the above query and run as it is.

rczone · ‎11-19-2019

tried this also rex "KB_List":"(?[^\"]+)" | table KB but no use

Splunk Rex: Extracting fields of a string into a Column