Splunk Search

extract a field with colon and forward slash and flower braces


Hi Team,

I am looking to extract the last value or last but one or both values from the field which looks like below(eeee fffff or {eeeee}/fffffff:


please help me with the regular expression for it. I tried something like rex field=_raw "\"field\":\"././(?\w+)." but it is not working.


Tags (4)
0 Karma


Thanks Guys. I will explore these options

0 Karma


This works over at regex101.com...


In a rex command, that will have to be surrounded by quotes and properly escaped, which I believe looks like this...

| rex field=_raw  "\"field\":\"[^{]*{(?<myvalue1>[^}]+)}\/(?<myvalue2>[^\"]+)"

Explanation: This regex keys on the word field surrounded in quotes, followed by a colon and another quote. "field":"

After that, it matches and ignores anything that is not an open curly brace, then matches and discards one curly brace. [^{]*{

Now we are at our first field of interest. Match and Grab everything that is not a close-curly-brace, putting it into field myvalue1. (?<myvalue1>[^}]+)

Then match and discard one close curly brace and a slash. }\/

Now we are at our second field of interest. Match and grab everything that is not a close-quote, putting it into field myvalue2. (?<myvalue2>[^"]+)

The above demonstrates a desired efficiency method in regexes - always (whenever possible) make sure that successive elements are mutually exclusive. It is highly efficient to code [^{]+{ -- which translates as "match everything but a left curly, then match one left curly" -- because if there is NO left curly in the source, then we are done, and there is no backtracking. Runaway regexes are usually catastrophic only in the case of an ugly NON-match, as opposed to a match. This way, the non-match is quite graceful in knowing that it has no more work to do.

0 Karma

Ultra Champion


Can you please try <yourBasesearch> | rex "(?m).*\/(?<extracted_field>.*\/.*)\""

Sample query in which first 2 lines are generating dummy data.

| makeresults
| eval _raw="\"field\":\"aaaaa-bbbbb-cccc:v1.1-d1:ggg:/dddd/{eeeee}/fffffff\""
| rex "(?m).*\/(?<extracted_field>.*\/.*)\""
0 Karma


Especially with regexes, please mark your code with the code button (101 010) or set it on a separate line with at least 4 spaces in front of it, or surround it with grave accents - the key to the left of the 1 on an american keyboard. Any of those will keep the interface from reading the code as HTML and/or deleting it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...