Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex

simo
Explorer
‎04-27-2021 06:13 AM

Hi all,

I have a column containing
Request = REQ_IN ...... { ...... "productId": "test", ...... { ....... "productId": "test2" }}
I have to take the containing value in the first one productId test
I using = | rex field=Request "REQ_IN.*\"productId\"(?<productId_rex>[^,]*)"
but it returns me the second value test2
how can i solve?

Simone

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎04-27-2021 11:22 AM

hi @simo,
Command rex captures the first match in the group. Try this:

| makeresults 
| eval test="Request = REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" 
| rex field=test "\"productId\":\s*\"(?<productId_rex>[^\"]+)\""
0 Karma
Reply

simo
Explorer
‎04-28-2021 07:10 AM

Hi @manjunathmeti 

so he is taking the first one, at the beginning I need him to take REQ_IN and so something doesn't work 😞

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Simone

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 11:24 AM

You need to use lazy quantifier (*?B instead of greedy (*) to match as few characters as possible. Try this.

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*?\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

ITWhisperer
Legend
‎04-28-2021 12:11 PM

@manjunathmeti Looks very similar to my answer from yesterday 🙂

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 10:43 PM

Yes, it is. My bad I was like lazy quantifier 😀

0 Karma
Reply

ITWhisperer
Legend
‎04-27-2021 07:56 AM

You need to use lazy expansion on the any character, something like:

| rex field=Request "REQ_IN.+?\"productId\":\s(?<productId_rex>[^,]*)"

 

0 Karma
Reply

simo
Explorer
‎04-27-2021 08:54 AM

hi @ITWhisperer 

thanks so it goes, but it does not work if the value of productId is only once 😞

simone

0 Karma
Reply

ITWhisperer
Legend
‎04-27-2021 09:07 AM

I was following your example, but perhaps you could also not extract the quotation marks and use that as the delimiter, rather than the comma, as I suspect that isn't present if there is only one?

| rex field=Request "REQ_IN.+?\"productId\":\s\"(?<productId_rex>[^\"]*)"
0 Karma
Reply

aasabatini
Builder
‎04-27-2021 07:02 AM

Hi @simo 

 

Can you try this regex?

^(?:[^:\n]*:){1}\"(?<productid>\w+)
0 Karma
Reply

simo
Explorer
‎04-27-2021 07:20 AM

it's not working 😞

0 Karma
Reply

aasabatini
Builder
‎04-27-2021 07:26 AM

@simo  don't  worry

try this

^[^:\n]*:\"(?P<productId>\w+)
0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!