Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex

simo
Path Finder
‎04-27-2021 06:13 AM

Hi all,

I have a column containing
Request = REQ_IN ...... { ...... "productId": "test", ...... { ....... "productId": "test2" }}
I have to take the containing value in the first one productId test
I using = | rex field=Request "REQ_IN.*\"productId\"(?<productId_rex>[^,]*)"
but it returns me the second value test2
how can i solve?

Simone

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎04-27-2021 11:22 AM

hi @simo,
Command rex captures the first match in the group. Try this:

| makeresults 
| eval test="Request = REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}" 
| rex field=test "\"productId\":\s*\"(?<productId_rex>[^\"]+)\""
0 Karma
Reply

simo
Path Finder
‎04-28-2021 07:10 AM

Hi @manjunathmeti 

so he is taking the first one, at the beginning I need him to take REQ_IN and so something doesn't work 😞

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

Simone

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 11:24 AM

You need to use lazy quantifier (*?B instead of greedy (*) to match as few characters as possible. Try this.

| makeresults
| eval test="REQ_IN ...... { ...... \"productId\": \"test\", ...... { ....... \"productId\": \"test2\" }}"
| rex field=test "REQ_IN.*?\"productId\":\s*\"(?<productId_rex>[^\"]+)\""

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-28-2021 12:11 PM

@manjunathmeti Looks very similar to my answer from yesterday 🙂

0 Karma
Reply

manjunathmeti
Champion
‎04-28-2021 10:43 PM

Yes, it is. My bad I was like lazy quantifier 😀

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 07:56 AM

You need to use lazy expansion on the any character, something like:

| rex field=Request "REQ_IN.+?\"productId\":\s(?<productId_rex>[^,]*)"

 

0 Karma
Reply

simo
Path Finder
‎04-27-2021 08:54 AM

hi @ITWhisperer 

thanks so it goes, but it does not work if the value of productId is only once 😞

simone

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 09:07 AM

I was following your example, but perhaps you could also not extract the quotation marks and use that as the delimiter, rather than the comma, as I suspect that isn't present if there is only one?

| rex field=Request "REQ_IN.+?\"productId\":\s\"(?<productId_rex>[^\"]*)"
0 Karma
Reply

aasabatini
Motivator
‎04-27-2021 07:02 AM

Hi @simo 

 

Can you try this regex?

^(?:[^:\n]*:){1}\"(?<productid>\w+)
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

simo
Path Finder
‎04-27-2021 07:20 AM

it's not working 😞

0 Karma
Reply

aasabatini
Motivator
‎04-27-2021 07:26 AM

@simo  don't  worry

try this

^[^:\n]*:\"(?P<productId>\w+)
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...