Regex to extract field value from a response [See ...

vivekmisra · ‎09-13-2021

I have this result response[sample]:

"{\"meta\":{\"code\":400}},[Content-Type:\"application/json\", Transfer-Encoding:\"chunked\", Date:\"Mon, 13 Sep 2021 17:25:12 GMT\", Keep-Alive:\"timeout=60\", Connection:\"keep-alive\"]"

I want value of field code to be extracted

I tried first to extract json out of this string "{\"meta\":{\"code\":400}},' but it looks i dont need to do these because i just want value of field code

I tried below but got stuck to remove "/" .

It would be nice to extract json and get code value but just getting the field code from above will also suffice
| eval responseJson0 = replace(responseJson,"\/", "")
| eval responseJson1 = replace(responseJson,"<", "")
| eval responseJson2 = replace(responseJson1,">", "")
| eval responseJson3 = replace(responseJson2,"200,", "")

ashvinpandey · ‎09-13-2021

@vivekmisra use this command in your search string:

| regex field=_raw "code\\\"\:(?P<code>\d+?)}"

Also the extraction logic to extract code value is as below:
code\\\"\:(?P<code>\d+?)}

Also, If this reply helps you, an upvote would be appreciated.

vivekmisra · ‎09-13-2021

Thanks it ia very similar to regular regex but how to have this printed by table.

I also looked https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Rex

So i am trying this :

| rex field=_raw "code\\\"\:(?P<code>\d+?)}"
|table code

Nothing is returned under code. What am I missing?

ashvinpandey · ‎09-16-2021

@vivekmisra Use this :

| regex field=_raw "code\\\"\:(?P<code>\d+?)}"

Also, If this reply helps you, an upvote would be appreciated.

Regex to extract field value from a response [See below]

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?