Solved: Why am I unable to extract a field from my logs wi...

mitcanmit · ‎03-16-2015

In my logs, I have the below part and I want to extract success

{\"state\":\"success\",

How do I formulate it with rex? I know that I should escape the backslashes and quotes but adding a \ does not do the trick. This is what I have tried:

| rex "\\\"state\\\":\\\"(?<state>\w*)\\\""

somesoni2 · ‎03-16-2015

Give this a try as well

your base search | rex   "(\\\)*\"state(\\\)*\":(\\\)*\"(?<state>\w*)(\\\)*\""

View solution in original post

somesoni2 · ‎03-16-2015

Give this a try as well

your base search | rex   "(\\\)*\"state(\\\)*\":(\\\)*\"(?<state>\w*)(\\\)*\""

richgalloway · ‎03-16-2015

Your regex string worked perfectly on regex101.com, but sometimes Splunk gets confused by quotation marks within strings. Try this alternative:

"\\\x22state\\\x22:\\\x22(?<state>\w*)\\\x22"

---
If this reply helps you, Karma would be appreciated.

Why am I unable to extract a field from my logs with rex using my current regular expression?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Why am I unable to extract a field from my logs with rex using my current regular expression?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25