Solved: Re: rex expression

ajaysamantbms · ‎01-15-2014

one of my field contains one big string as shown below

params={fl=doc_objectid,score&sort=doc_dateeffective+asc,doc_number+asc&start=0&q=((doc_name:"pd\-dir\-0017\+\(005220\)"^72)+AND+(doc_version:"2.0"))+AND++doc_docbase:QDOC_PD_DOCS_MIG^0.00001+AND+doc_objecttype:document^0.00001&rows=500}

Using rex expression i wanted to extract the value of doc_name which is embedded inside the params field - the value is equal to whatever comes in till we hit )

sourcetype = abc.log | fields params | rex "doc_name:<?mydocname>[]+\ - i tried this - its not working..wanted to extract it in mydocname and sort by that field

bandit · ‎01-15-2014

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

View solution in original post

1206chandra · ‎02-07-2019

| rex field=params ".((\w+:\"(?.)\"^.*"

arihant16cse · ‎02-06-2019

please check it and it works on my machine

| rex field=params ".((\w+:\"(?.)\"^.*"

arihant16cse · ‎02-06-2019

| rex field=_raw ".((\w+:\"(?.)\"^.*"

please try it......it is not hard coded......

bandit · ‎01-15-2014

Does this work?

| rex "doc_name:\"(?<mydocname>[^+]+)"

You may also need to specify the field for the rex if it not coming from _raw like so.

| rex field=params "doc_name:\"(?<mydocname>[^+]+)"

ajaysamantbms · ‎01-16-2014

thanks it works for me..i could tweak it to change the field delimiter...thanks

rex expression

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation