Splunk Search

What is the regular expression for my use case?

Path Finder

i am unable to display dv_state="Closed Complete" from the data. please help me with REX for this use case.

dv_state="Closed Complete"
dv_state="Open"
0 Karma
1 Solution

Motivator

I answered similar question that would have extracted all the "dv_" for you from your data but seems you had figured it out there:

https://answers.splunk.com/answers/475190/help-me-rex-extraction.html#answer-474189

However just for this state piece this is how u do it :

yourQuery to return the data
| rex "dv_state\=\"(?<state>[^\"]+)"
| table state

If you also want the dv_state= in the string as wel use this:

yourQuery to return the data
| rex "(?<stateField>dv_state\=)\"(?<state>[^\"]+)"
| eval myString=stateField."\"".state."\""
| table stateField, state, myString

View solution in original post

Explorer

rex "dv_state=\"(?<dv_state>[^\"]*)\""

Regular Expressions is a Language for it's own... there are many good creators for that.
online I often use regexr(dot)com
On Mac is regExRX a good choice

Kind regards
Darth

0 Karma

Motivator

I answered similar question that would have extracted all the "dv_" for you from your data but seems you had figured it out there:

https://answers.splunk.com/answers/475190/help-me-rex-extraction.html#answer-474189

However just for this state piece this is how u do it :

yourQuery to return the data
| rex "dv_state\=\"(?<state>[^\"]+)"
| table state

If you also want the dv_state= in the string as wel use this:

yourQuery to return the data
| rex "(?<stateField>dv_state\=)\"(?<state>[^\"]+)"
| eval myString=stateField."\"".state."\""
| table stateField, state, myString

View solution in original post