Splunk Search

rex extration with double quotes

mwibowo1
New Member

"ContactId":"12345" and i have tried rex "\"ContactId\":\"(?[0-9]*)\""
and no result..
please help.. what did i do wrong with escape char \?

0 Karma

pruthvikrishnap
Contributor
"ContactId\":"(.*?)"
0 Karma

deepashri_123
Motivator

Hey@mwibowo1,

Can you try this:
rex field=_raw "\"ContactId\":\"(?P.*)\""
Let me know if this helps!!

0 Karma

mwibowo1
New Member

sorry - not working

| rex field=_raw "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\"" | table ContactId

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you trying to extract the numbers? If so then you can simply escape the quotes with a backslash

Try the extraction below, the field-name will be ContactId

| rex ContactId\"\:\"(?<ContactId>\d+)

0 Karma

mwibowo1
New Member

that is exactly what i am doing and it does not work..

0 Karma

mwibowo1
New Member

does not work means when i do | table ContactId and it shows empty table (I know i have the data)

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You said you tried this and it didn't work?? You're regex is broken and doesn't capture the values whereas the solution I posted does..

| rex "\"ContactId\":\"(?[0-9]*)\""

You're trying to extract the numbers? What doesn't work? Is it partially working? You need to add more context if you want any shot at getting this working

0 Karma

mwibowo1
New Member

sorry - this is not working -
rex "\"ContactId\":\"(?[0-9]*)\""

0 Karma

mwibowo1
New Member

rex "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\""

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

This looks mostly fine. I'd put the last - in the square brackets at the front of the list, though:

... | rex "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""

Otherwise it seems fine. Do you also need to specify the field in this case? Sometimes that is needed to get it to work properly. There is just barely enough information about your problem to go on. This is a run-anywhere search that shows that it should work:

| makeresults 
| eval data="\"ContactId\":\"12345\"" 
| rex field=data "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""
0 Karma

mwibowo1
New Member

sorry not working

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Does the run-anywhere search above work on your Splunk? If it doesn't, then you have something seriously odd going on. If it does, but the single line search above doesn't work, then your data doesn't look the way you have said, because each of the options that you have been given by the various contributors here should work. Look at your data carefully and figure out why it is not the same as what you have posted here.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...