Splunk Search

Splunk Rex: Extracting fields of a string into a Column

rczone
Path Finder

I'm a newbie to SPlunk REX trying to do some dashboards and need help in extracting fields of a particular variable
i read old articles in SPlunk old questions but couldn't figured it out..
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column

Expected output: as a table

KB_Listed
KB000119050,KB000119026,KB000119036

i have tried:

| `rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""`

Message Snippet below:

svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},""

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try ... | rex "KB_List":"(?<KB_Listed>[^"]+)"

---
If this reply helps you, Karma would be appreciated.

rczone
Path Finder

Error in 'SearchParser': Mismatched ']'. @richgalloway

0 Karma

mayurr98
Super Champion

escape "

try :

| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

rczone
Path Finder

@mayurr98 returning none ...

| rex "KB_List\":\"(?[^\"]+)" | table KB_list
0 Karma

rczone
Path Finder

@mayurr98 | rex "KB_List\":\"(?[^\"]+)" | table KB_Listed this worked..thanks a ton

0 Karma

mayurr98
Super Champion

try this:

.. | rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

you are not putting the extracted value in the field. Copy the above query and run as it is.

rczone
Path Finder

tried this also rex "KB_List":"(?[^\"]+)" | table KB but no use

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...