regex help

gitingua · ‎11-26-2021

hello my friends.

how using regex can delete everything in bold

{"test": " { \n \"data\": \"check\",\n \"git_branch\": \"master\",\n \"git_repo_name\": \"reponame\",\n \"id\": 234,\n \"timestamp\": 16378522342,\n } "}

output

{ \"data\": \"check\", \"git_branch\": \"master\", \"git_repo_name\": \"reponame\", \"id\": 3413, \"timestamp\": 16378522342 }

Gr0und_Z3r0 · ‎11-27-2021

Hi @gitingua , if you want a clean JSON data, then you can try something like this...

| makeresults 
| eval jsonData ="{\"test\": \"  {   \\n \\\"data\\\": \\\"check\\\",\\n \\\"git_branch\\\": \\\"master\\\",\\n \\\"git_repo_name\\\": \\\"reponame\\\",\\n \\\"id\\\": 234,\\n \\\"timestamp\\\": 16378522342,\\n } \"}"
| spath input=jsonData path=test output=result

Please vote up if it helps!

ITWhisperer · ‎11-26-2021

Does something like this work?

| rex mode=sed "s/\\n//g"
| rex mode=sed "s/\{\"test\":\s*\"\s*//g"
| rex mode=sed "s/\s*\"\}//g"

regex help

field extraction

fields

join

lookup

regex

rex

search job inspector

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

regex help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.