Hi,

The log is in this format under _raw field. Sorry, how do I paste it as Code Sample?

2641328 [EPS-log-dispatcher-11] INFO 1.24978294676695149906 - {"Log Header": "{"endpointKeyHash":{"string":"MAz7MadOhr02tPt5vtZsSEy9FWw="},"applicationToken":{"string":"24978294676695149906"},"headerVersion":{"int":1},"timestamp":{"long":1495594584490},"logSchemaVersion":{"int":2}}","Event":{"temperature":-1,"timeStamp":1495594583638}}

Hi wuming79,
if I correctly understand: you want to extract the string between double quotes after endpointKeyHash and String, correct?

if this is your need, your regex is

endpointKeyHash\":\{\"string\":\"(?<endpointKeyHash>[^\=\"]*)

you can test it at https://regex101.com/r/rbE3YH/1

When you insert a regex in a message, you have to select it and click on the "Code Sample" button (the one with 101010 numbers): in this way it's possible to see special characters.

Bye.
Giuseppe

Thanks Giuseppe. I got it now.

Not sure why my original question was not updated. I need to correct my search string which is

temperature sourcetype=kaa_file | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})$" | spath input=mydata | table _time, temperature, endpoint

I tried replacing "(?[^\"]*) with "(?.+?)=" and it works. But what does .+?)= means? I thought everything that I wanted to extract should be within the ( )?

Go to regex101.com and enter your string and the regex. It will tell you exactly what each of the different symbols are doing on the right hand side of the extraction. Cheers.