- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Rex: Extracting fields of a string into...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Rex: Extracting fields of a string into a Column
I'm a newbie to SPlunk REX trying to do some dashboards and need help in extracting fields of a particular variable
i read old articles in SPlunk old questions but couldn't figured it out..
Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column
Expected output: as a table
KB_Listed
KB000119050,KB000119026,KB000119036
i have tried:
| `rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""`
Message Snippet below:
svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"","KB_List":"KB000119050,KB000119026,KB000119036","reqTicket":"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{"":{"requestId":"532938335"}},""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try ... | rex "KB_List":"(?<KB_Listed>[^"]+)"
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error in 'SearchParser': Mismatched ']'. @richgalloway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
escape "
try :
| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mayurr98 returning none ...
| rex "KB_List\":\"(?[^\"]+)" | table KB_list
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mayurr98 | rex "KB_List\":\"(?[^\"]+)" | table KB_Listed this worked..thanks a ton
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
.. | rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed
you are not putting the extracted value in the field. Copy the above query and run as it is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried this also rex "KB_List":"(?[^\"]+)" | table KB but no use
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
