Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract string between backward slash and quote

pinalshah341
Loves-to-Learn
‎01-13-2021 08:28 PM

{\"reference_id\":\"REF1\",\"sub_reference_id\":\"sub_ref_1\"}

required output : table of reference_id, sub_reference_id

For the above search string : 

I am trying  :

rex field=_raw "reference_id\\\\":\\\\"(?P<reference_id>.P[^\"]*)"

But it is not working. can someone help with the correct rex command to extract the fields explicitely

Labels (3)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 04:51 AM 
index=_internal | head 1 | fields _raw
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"
| rename COMMENT as "this is sample"
| rex mode=sed "s/\\\//g"
| spath

try rex with sed mode and spath.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-14-2021 12:56 AM

First two lines set up your example data - main line extracts the two values into the fields

| makeresults 
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"


| rex field=_raw "reference_id\\\\\":\\\\\"(?P<reference_id>[^\\\\\"]*)\\\\\",\\\\\"sub_reference_id\\\\\":\\\\\"(?P<sub_reference_id>[^\\\\\"]*)"
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-13-2021 09:15 PM

@pinalshah341 

| makeresults 
| eval _raw="{\\\"reference_id\\\":\\\"REF1\\\",\\\"sub_reference_id\\\":\\\"sub_ref_1\\\"}"
| rex field=_raw "reference_id\\\\\":\\\\\"(?P<reference_id>[^\\\\\"]*)"
0 Karma
Reply

pinalshah341
Loves-to-Learn
‎01-13-2021 09:39 PM

The value is not a constant string. Hence, need a query that fetches the value dynamically.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-14-2021 02:51 PM

@pinalshah341 

That rex statement is exactly that - extracting the dynamic reference - the REF1 is your example data showing how it works

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...