regex

simo · ‎04-27-2021

Hi all,

I have a column containing
Request = REQ_IN ...... { ...... "productId": "test", ...... { ....... "productId": "test2" }}
I have to take the containing value in the first one productId test
I using = | rex field=Request "REQ_IN.*\"productId\"(?<productId_rex>[^,]*)"
but it returns me the second value test2
how can i solve?

Simone

manjunathmeti · ‎04-27-2021

hi @simo,
Command rex captures the first match in the group. Try this:

| makeresults 
| eval test="Request = REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" 
| rex field=test "\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

simo · ‎04-28-2021

Hi @manjunathmeti

so he is taking the first one, at the beginning I need him to take REQ_IN and so something doesn't work 😞

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Simone

manjunathmeti · ‎04-28-2021

You need to use lazy quantifier (*?B instead of greedy (*) to match as few characters as possible. Try this.

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*?\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

If this reply helps you, a like would be appreciated.

ITWhisperer · ‎04-28-2021

@manjunathmeti Looks very similar to my answer from yesterday 🙂

manjunathmeti · ‎04-28-2021

Yes, it is. My bad I was like lazy quantifier 😀

ITWhisperer · ‎04-27-2021

You need to use lazy expansion on the any character, something like:

| rex field=Request "REQ_IN.+?\"productId\":\s(?<productId_rex>[^,]*)"

simo · ‎04-27-2021

hi @ITWhisperer

thanks so it goes, but it does not work if the value of productId is only once 😞

simone

ITWhisperer · ‎04-27-2021

I was following your example, but perhaps you could also not extract the quotation marks and use that as the delimiter, rather than the comma, as I suspect that isn't present if there is only one?

| rex field=Request "REQ_IN.+?\"productId\":\s\"(?<productId_rex>[^\"]*)"

aasabatini · ‎04-27-2021

Hi @simo

Can you try this regex?

^(?:[^:\n]*:){1}\"(?<productid>\w+)

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

simo · ‎04-27-2021

it's not working 😞

aasabatini · ‎04-27-2021

@simo don't worry

try this

^[^:\n]*:\"(?P<productId>\w+)

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

regex

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

regex

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...