Solved: regex help

surekhasplunk · ‎05-19-2020

{"device":"abcd","host":"1.2.3.4"}
{"device":"efgh [ = ILO = ]","host":"2.3.4.5"}
{"device":"qrst - [ab cd ef]","host":"4.5.6.7"}

My data looks like this in the _raw.

now i am trying to fetch device and host using regex. please help. It should be simple but since host is a default keyword the host from which data is coming is also coming with field name host so i need to rename host coming in _raw to ip

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

View solution in original post

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

vnravikumar · ‎05-19-2020

Hi

Try this rex

|rex "\"device\"\:\"(?P<device>[^"]+)\"\,\"host\"\:\"(?P<ip>[^"]+)"

regex help

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

regex help

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25