Solved: Why am I unable to extract a field from my logs wi...

mitcanmit · ‎03-16-2015

In my logs, I have the below part and I want to extract success

{\"state\":\"success\",

How do I formulate it with rex? I know that I should escape the backslashes and quotes but adding a \ does not do the trick. This is what I have tried:

| rex "\\\"state\\\":\\\"(?<state>\w*)\\\""

somesoni2 · ‎03-16-2015

Give this a try as well

your base search | rex   "(\\\)*\"state(\\\)*\":(\\\)*\"(?<state>\w*)(\\\)*\""

View solution in original post

somesoni2 · ‎03-16-2015

Give this a try as well

your base search | rex   "(\\\)*\"state(\\\)*\":(\\\)*\"(?<state>\w*)(\\\)*\""

richgalloway · ‎03-16-2015

Your regex string worked perfectly on regex101.com, but sometimes Splunk gets confused by quotation marks within strings. Try this alternative:

"\\\x22state\\\x22:\\\x22(?<state>\w*)\\\x22"

---
If this reply helps you, Karma would be appreciated.

Why am I unable to extract a field from my logs with rex using my current regular expression?

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Are you a member of the Splunk Community?

Why am I unable to extract a field from my logs with rex using my current regular expression?

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform