Re: Unable to create field using regex

sagar_shubham · ‎12-29-2021

Hi Team,

Need your help in creating regex to create a field.

"User_Claim":("sub":"qweihaytej"; "login_id":"Abc@domain.com";........)

Here User_Claim is a field. I have to create a field for login_id.

I have tried with this, and it's not working.

..... | rex field=User_Claim " login_id"(? <loginID>\w+.) "

I am unable to see the field name in the interesting fields.

Please suggest in this.

Thanks

Sagar

ashvinpandey · ‎12-30-2021

@sagar_shubham Try using the below rex:

| rex field=_raw "login_id\"\:\"(?P<login_id>.*?)\""

Also if this reply helped you in solving your problem an up-vote would be appreciated 👍

richgalloway · ‎12-29-2021

That regex has a few extra characters in it (and some missing ones) that prevent a match. Also, "\w+" won't match the full login_id field because of the "@" (which is not a word character). Finally, embedded quotation marks need to be escaped. Try this command:

| rex field=User_Claim "login_id\\\":\\\" \\\"(?<loginID>[^\\\"]+)"

---
If this reply helps you, Karma would be appreciated.

sagar_shubham · ‎12-30-2021

This is not working Sir.

richgalloway · ‎12-30-2021

Meaning what, exactly? Please share the full query you tried, what results were expected, and what results you got.

---
If this reply helps you, Karma would be appreciated.

Unable to create field using regex

field extraction

regex

rex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?