Splunk Search

rex for raw text that have "" in

phamxuantung
Communicator

Hello, I'm have a raw data that contain the following:

....OrgnlTxRef:"04172D1xxxx","TxSts":"ACSC","StsRsnInt":{....

I'm trying to take out only the ACSC as a "TxSts" field to search for the events that don't contain it, but I can't figure it our for some reason. Can anybody help me?

Labels (2)
0 Karma
1 Solution

manjunathmeti
Champion

hi @phamxuantung,
Try this:

 

| rex "\"TxSts\":\"(?<TxSts>[^\"]+)\""

 

View solution in original post

manjunathmeti
Champion

hi @phamxuantung,
Try this:

 

| rex "\"TxSts\":\"(?<TxSts>[^\"]+)\""

 

phamxuantung
Communicator

Splunk said your query missing a search command before '^'.  And indeed my next pipe still in white color.

0 Karma

manjunathmeti
Champion

I updated my answer, check now.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...