Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex

simo
Path Finder
‎04-27-2021 06:13 AM

Hi all,

I have a column containing
Request = REQ_IN ...... { ...... "productId": "test", ...... { ....... "productId": "test2" }}
I have to take the containing value in the first one productId test
I using = | rex field=Request "REQ_IN.*\"productId\"(?<productId_rex>[^,]*)"
but it returns me the second value test2
how can i solve?

Simone

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎04-27-2021 11:22 AM

hi @simo,
Command rex captures the first match in the group. Try this:

| makeresults 
| eval test="Request = REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" 
| rex field=test "\"productId\":\s*\"(?<productId_rex>[^\"]+)\""
0 Karma
Reply

simo
Path Finder
‎04-28-2021 07:10 AM

Hi @manjunathmeti 

so he is taking the first one, at the beginning I need him to take REQ_IN and so something doesn't work 😞

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Simone

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 11:24 AM

You need to use lazy quantifier (*?B instead of greedy (*) to match as few characters as possible. Try this.

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*?\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-28-2021 12:11 PM

@manjunathmeti Looks very similar to my answer from yesterday 🙂

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 10:43 PM

Yes, it is. My bad I was like lazy quantifier 😀

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 07:56 AM

You need to use lazy expansion on the any character, something like:

| rex field=Request "REQ_IN.+?\"productId\":\s(?<productId_rex>[^,]*)"

 

0 Karma
Reply

simo
Path Finder
‎04-27-2021 08:54 AM

hi @ITWhisperer 

thanks so it goes, but it does not work if the value of productId is only once 😞

simone

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 09:07 AM

I was following your example, but perhaps you could also not extract the quotation marks and use that as the delimiter, rather than the comma, as I suspect that isn't present if there is only one?

| rex field=Request "REQ_IN.+?\"productId\":\s\"(?<productId_rex>[^\"]*)"
0 Karma
Reply

aasabatini
Motivator
‎04-27-2021 07:02 AM

Hi @simo 

 

Can you try this regex?

^(?:[^:\n]*:){1}\"(?<productid>\w+)
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

simo
Path Finder
‎04-27-2021 07:20 AM

it's not working 😞

0 Karma
Reply

aasabatini
Motivator
‎04-27-2021 07:26 AM

@simo  don't  worry

try this

^[^:\n]*:\"(?P<productId>\w+)
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top