Re: What am I doing wrong in this regex?

hagjos43 · ‎10-09-2017

This works if you | rex "EXTRACT-json_data=.+\"(?<json_data>{.+})\""

But when I try to move it over to props.conf as:

[mysourcetype]
EXTRACT-json_data=.+"(?<json_data>{.+})

It doesn't work.

Any ideas on what I'm doing wrong?

Thanks!
-Joe

gcusello · ‎10-10-2017

Hi hagjos43,
in your props.conf probably the error is that a backslash is missing before first brackets.
Anyway, try this to have all the chars between braces (without braces)

.+\"\{\"(?<json_data>[^\}]*)\"\}\"

Bye.
Giuseppe

DalJeanis · ‎10-09-2017

Probably closer to this...

[mysourcetype]
REGEX  = EXTRACT-json_data=.+"(?<json_data>{.+})"

kyaparla · ‎10-09-2017

you may have to escape your double quotes in props.conf

wrangler2x · ‎10-11-2017

Take this basic search and replace the event field with experimental data to see what breaks your regex

| makeresults
| eval event=",\"{whatever}\""
| rex field=event ",\"{(?<jason_data>[^}]+)"
| table jason_data event

MuS · ‎10-09-2017

Can you please post some sample events?

hagjos43 · ‎10-09-2017

12bca842-2f11-494c-b016-7668beda8bfd-1633657","2017-10-09T21:32:15.164Z","access","12bca842-2f11-494c-b016-7668beda8bfd-1633650","Scheduled activeSynchroniser_systemExternalOu-Mon Oct 09 17:32:15 EDT 2017",,,,,,"CREST","ScheduledTask","{""taskName"":""scheduler-service-group.activeSync_systemExternalOu""}",,,,,,,,"SUCCESSFUL",,,"12","MILLISECONDS",

MuS · ‎10-09-2017

so this regex .+\"(?<json_data>{.+})\" matches everything in the { }

try this props.conf setting as kyaparla suggests and also move the { } out of the capturing group:

 EXTRACT-json_data=.+\"{(?<json_data>.+)}\"

hagjos43 · ‎10-10-2017

Appreciate your help so far but this still didn't work. Does it matter that this is a csv that it is ingesting? I would think field extractions didn't care what extension a file has.

What am I doing wrong in this regex?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!