Re: regex field extraction on field changing data ...

VI371887 · ‎03-26-2018

hi i am having issue extracting fields from splunk field extraction and rex command

with msg field

it's has different values can be numbers, strings, path, punctuations, blank space like shown below.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :" "

now problem is, i have written rex as
\msg\":(? \". *\") \,

but it returns value which following msg field.

"msg" :"vjvuv igivc uvviv", "origin" :"abcgc", "time" :23.45677",

493669 · ‎03-26-2018

Hi @VI371887,
Try this regex:

...|rex "msg\"\s:\"(?<msg>[^\"]+)"

VI371887 · ‎03-26-2018

this selects msg filed, i want the value of the field to be selected, like in above example

the msg values that is.. highlighted in bold.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :"** **"

493669 · ‎03-26-2018

the above regex selects value for msg field as highlighted.
try this run anywhere search:

|makeresults|eval _raw="\"msg\" :\"35556\""|rex "msg\"\s:\"(?<message>[^\"]+)"

regex field extraction on field changing data value properties