Splunk Search

Splunk Rex: Extracting fields of a string into a Column

Explorer

I'm a newbie to SPlunk REX trying to do some dashboards and need help in extracting fields of a particular variable
i read old articles in SPlunk old questions but couldn't figured it out..
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column

Expected output: as a table

KB_Listed
KB000119050,KB000119026,KB000119036

i have tried:

| `rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""`

Message Snippet below:

svclogERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},""

0 Karma

SplunkTrust
SplunkTrust

Try ... | rex "KB_List":"(?<KB_Listed>[^"]+)"

---
If this reply helps you, an upvote would be appreciated.

Explorer

Error in 'SearchParser': Mismatched ']'. @richgalloway

0 Karma

SplunkTrust
SplunkTrust

escape "

try :

| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

Explorer

@mayurr98 returning none ...

| rex "KB_List\":\"(?[^\"]+)" | table KB_list
0 Karma

Explorer

@mayurr98 | rex "KBList\":\"(?[^\"]+)" | table KBListed this worked..thanks a ton

0 Karma

SplunkTrust
SplunkTrust

try this:

.. | rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

you are not putting the extracted value in the field. Copy the above query and run as it is.

Explorer

tried this also rex "KB_List":"(?[^\"]+)" | table KB but no use

0 Karma