regex help

gitingua · ‎11-26-2021

hello my friends.

how using regex can delete everything in bold

{"test": " { \n \"data\": \"check\",\n \"git_branch\": \"master\",\n \"git_repo_name\": \"reponame\",\n \"id\": 234,\n \"timestamp\": 16378522342,\n } "}

output

{ \"data\": \"check\", \"git_branch\": \"master\", \"git_repo_name\": \"reponame\", \"id\": 3413, \"timestamp\": 16378522342 }

Gr0und_Z3r0 · ‎11-27-2021

Hi @gitingua , if you want a clean JSON data, then you can try something like this...

| makeresults 
| eval jsonData ="{\"test\": \"  {   \\n \\\"data\\\": \\\"check\\\",\\n \\\"git_branch\\\": \\\"master\\\",\\n \\\"git_repo_name\\\": \\\"reponame\\\",\\n \\\"id\\\": 234,\\n \\\"timestamp\\\": 16378522342,\\n } \"}"
| spath input=jsonData path=test output=result

Please vote up if it helps!

ITWhisperer · ‎11-26-2021

Does something like this work?

| rex mode=sed "s/\\n//g"
| rex mode=sed "s/\{\"test\":\s*\"\s*//g"
| rex mode=sed "s/\s*\"\}//g"

regex help

field extraction

fields

join

lookup

regex

rex

search job inspector

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation

regex help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.