Solved: Extract fields from non-JSON formatted data

Matthew86 · ‎12-22-2021

Hi Guys,

Hope you can help me out.

Consider the following data in Splunk:

{ 
   attrs: { 
     account: 85859303
     version: 1.3848
   }
   line: { 
     application_version: 1.94949303
     message: Event with key 84js9393: {"entity": {"customer_id": "K123456", "order_id": "Sjd49493-93nd-9494-jdjd-mskaldjfhfhh", "collection_id": "djdis939-9398-9488-j939-md839md93000", "issuer_id": null}}
     thread: springfield
     timestamp: 2021-12-21 19:30:52,123
   }
}

I would like to extract the order_id and use it in my search:

order_id=Sjd49493-93nd-9494-jdjd-mskaldjfhfhh

Hope someone can help or point me in the right direction.

Cheers!

Matthew

richgalloway · ‎12-22-2021

It's easy with rex

... | rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-22-2021

It's easy with rex

... | rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
...

---
If this reply helps you, Karma would be appreciated.

Matthew86 · ‎12-23-2021

Hi richgalloway, Thanks for you reply.

Unfortunately when I for example try to table the results I do not receive any results.

For example

Base search ....
| rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
| table order_id

Matthew86 · ‎12-23-2021

fixed it:

| rex field=line.message "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)"
| table order_id

Extract fields from non-JSON formatted data

fields

regex

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Are you a member of the Splunk Community?