Solved: regex help

surekhasplunk · ‎05-19-2020

{"device":"abcd","host":"1.2.3.4"}
{"device":"efgh [ = ILO = ]","host":"2.3.4.5"}
{"device":"qrst - [ab cd ef]","host":"4.5.6.7"}

My data looks like this in the _raw.

now i am trying to fetch device and host using regex. please help. It should be simple but since host is a default keyword the host from which data is coming is also coming with field name host so i need to rename host coming in _raw to ip

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

View solution in original post

to4kawa · ‎05-19-2020

|makeresults
| eval _raw="{\"device\":\"abcd\",\"host\":\"1.2.3.4\"}
{\"device\":\"efgh [ = ILO = ]\",\"host\":\"2.3.4.5\"}
{\"device\":\"qrst - [ab cd ef]\",\"host\":\"4.5.6.7\"}"
| multikv noheader=t
| fields _raw
| spath

vnravikumar · ‎05-19-2020

Hi

Try this rex

|rex "\"device\"\:\"(?P<device>[^"]+)\"\,\"host\"\:\"(?P<ip>[^"]+)"

regex help

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

regex help

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...