extract string between backward slash and quote

pinalshah341 · ‎01-13-2021

{\"reference_id\":\"REF1\",\"sub_reference_id\":\"sub_ref_1\"}

required output : table of reference_id, sub_reference_id

For the above search string :

I am trying :

rex field=_raw "reference_id\\\\":\\\\"(?P<reference_id>.P[^\"]*)"

But it is not working. can someone help with the correct rex command to extract the fields explicitely

to4kawa · ‎01-15-2021

index=_internal | head 1 | fields _raw
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"
| rename COMMENT as "this is sample"
| rex mode=sed "s/\\\//g"
| spath

try rex with sed mode and spath.

ITWhisperer · ‎01-14-2021

First two lines set up your example data - main line extracts the two values into the fields

| makeresults 
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"


| rex field=_raw "reference_id\\\\\":\\\\\"(?P<reference_id>[^\\\\\"]*)\\\\\",\\\\\"sub_reference_id\\\\\":\\\\\"(?P<sub_reference_id>[^\\\\\"]*)"

bowesmana · ‎01-13-2021

@pinalshah341

| makeresults 
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"
| rex field=_raw "reference_id\\\\\":\\\\\"(?P<reference_id>[^\\\\\"]*)"

pinalshah341 · ‎01-13-2021

The value is not a constant string. Hence, need a query that fetches the value dynamically.

bowesmana · ‎01-14-2021

@pinalshah341

That rex statement is exactly that - extracting the dynamic reference - the REF1 is your example data showing how it works

extract string between backward slash and quote

eval

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!