- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What am I doing wrong in this regex?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I doing wrong in this regex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi hagjos43,
in your props.conf probably the error is that a backslash is missing before first brackets.
Anyway, try this to have all the chars between braces (without braces)
.+\"\{\"(?<json_data>[^\}]*)\"\}\"
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably closer to this...
[mysourcetype]
REGEX = EXTRACT-json_data=.+"(?<json_data>{.+})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you may have to escape your double quotes in props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take this basic search and replace the event field with experimental data to see what breaks your regex
| makeresults
| eval event=",\"{whatever}\""
| rex field=event ",\"{(?<jason_data>[^}]+)"
| table jason_data event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please post some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12bca842-2f11-494c-b016-7668beda8bfd-1633657","2017-10-09T21:32:15.164Z","access","12bca842-2f11-494c-b016-7668beda8bfd-1633650","Scheduled activeSynchroniser_systemExternalOu-Mon Oct 09 17:32:15 EDT 2017",,,,,,"CREST","ScheduledTask","{""taskName"":""scheduler-service-group.activeSync_systemExternalOu""}",,,,,,,,"SUCCESSFUL",,,"12","MILLISECONDS",
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so this regex .+\"(?<json_data>{.+})\" matches everything in the { }
try this props.conf setting as kyaparla suggests and also move the { } out of the capturing group:
EXTRACT-json_data=.+\"{(?<json_data>.+)}\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appreciate your help so far but this still didn't work. Does it matter that this is a csv that it is ingesting? I would think field extractions didn't care what extension a file has.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
