Splunk Search

rex expression

ajaysamantbms
Explorer

one of my field contains one big string as shown below

params={fl=doc_objectid,score&sort=doc_dateeffective+asc,doc_number+asc&start=0&q=((doc_name:"pd\-dir\-0017\+\(005220\)"^72)+AND+(doc_version:"2.0"))+AND++doc_docbase:QDOC_PD_DOCS_MIG^0.00001+AND+doc_objecttype:document^0.00001&rows=500}

Using rex expression i wanted to extract the value of doc_name which is embedded inside the params field - the value is equal to whatever comes in till we hit )

sourcetype = abc.log | fields params | rex "doc_name:<?mydocname>[]+\ - i tried this - its not working..wanted to extract it in mydocname and sort by that field

Tags (1)
0 Karma
1 Solution

bandit
Motivator

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

View solution in original post

1206chandra
Explorer

| rex field=params ".((\w+:\"(?.)\"^.*"

0 Karma

arihant16cse
Path Finder

please check it and it works on my machine

| rex field=params ".((\w+:\"(?.)\"^.*"

0 Karma

arihant16cse
Path Finder

| rex field=_raw ".((\w+:\"(?.)\"^.*"

please try it......it is not hard coded......

0 Karma

bandit
Motivator

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

ajaysamantbms
Explorer

thanks it works for me..i could tweak it to change the field delimiter...thanks

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...