Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex field extraction - match field in double quotes after sting match

rotundwizard
Explorer
‎02-01-2019 10:08 AM

I'm attempting to build a regex that will extract a field enclosed in double-quotes, after a string match. Basically I want to extract a field 4 fields after the string POST. All fields enclosed in double-quotes, separated by commas.

"*several fields*","POST","field1","field2","field3","field4","**THE_FIELD_I_NEED**"

Any assistance would be welcome!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:15 AM

Hi @rotundwizard

Give this a try: \"POST\",[^\,]+,[^\,]+,[^\,]+,[^\,]+,\"(?<my_new_field>[^\,]+)\"

https://regex101.com/r/ObxLtM/1

All the best

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-01-2019 10:25 AM

Like this:

... | rex "\"POST\",(?:[^\,]+,){4}\"(?<the_field_I_need>[^\,]+)\""
0 Karma
Reply
Solved! Jump to solution

saurabhkharkar
Path Finder
‎02-01-2019 10:20 AM 
Try this

|rex field=_raw "POST\"\,\"\w+\"\,\"\w+\"\,\"\w+\"\,\"\w+\"\,\"(?<optuput>\w+)\""
0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:23 AM

Be aware this this one won't work correctly if one of you fields has spaces in it.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:15 AM

Hi @rotundwizard

Give this a try: \"POST\",[^\,]+,[^\,]+,[^\,]+,[^\,]+,\"(?<my_new_field>[^\,]+)\"

https://regex101.com/r/ObxLtM/1

All the best

0 Karma
Reply
Solved! Jump to solution

rotundwizard
Explorer
‎02-01-2019 10:37 AM

This technically did work, for my specific situation it did not (my fault for not providing sufficient detail). One of the fields after the POST string contains a comma. Which would be fine, except that comma isn't always there depending on the log data. Would it be possible to key in on the double-quotes, instead of the commas?

"several fields","POST","field1" "field2","field3","field4","thefieldIwant"

OR

"several fields","POST","field1" "field2","field3","field,4","thefieldIwant"

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:44 AM

Try this one:

https://regex101.com/r/ObxLtM/2

\"POST\",(?:\"[^\"]+\",){4}\"(?<my_new_field>[^\,]+)\"

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-01-2019 10:45 AM

or this \"POST\",(?:\"[^\"]+\",){4}\"(?<my_new_field>[^\"]+)\"

https://regex101.com/r/ObxLtM/3

0 Karma
Reply
Solved! Jump to solution

rotundwizard
Explorer
‎02-01-2019 10:50 AM

Both work perfectly, thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top