Solved: Re: rex expression

ajaysamantbms · ‎01-15-2014

one of my field contains one big string as shown below

params={fl=doc_objectid,score&sort=doc_dateeffective+asc,doc_number+asc&start=0&q=((doc_name:"pd\-dir\-0017\+\(005220\)"^72)+AND+(doc_version:"2.0"))+AND++doc_docbase:QDOC_PD_DOCS_MIG^0.00001+AND+doc_objecttype:document^0.00001&rows=500}

Using rex expression i wanted to extract the value of doc_name which is embedded inside the params field - the value is equal to whatever comes in till we hit )

sourcetype = abc.log | fields params | rex "doc_name:<?mydocname>[]+\ - i tried this - its not working..wanted to extract it in mydocname and sort by that field

bandit · ‎01-15-2014

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

View solution in original post

1206chandra · ‎02-07-2019

| rex field=params ".((\w+:\"(?.)\"^.*"

arihant16cse · ‎02-06-2019

please check it and it works on my machine

| rex field=params ".((\w+:\"(?.)\"^.*"

arihant16cse · ‎02-06-2019

| rex field=_raw ".((\w+:\"(?.)\"^.*"

please try it......it is not hard coded......

bandit · ‎01-15-2014

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

ajaysamantbms · ‎01-16-2014

thanks it works for me..i could tweak it to change the field delimiter...thanks

rex expression

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?