Splunk Search

How to extract a field within quotes and extract its value based on the following second set of quotes?

dernst
New Member

Hi Guys,

I am new to Splunk and regex and trying to extract a given field plus its value. So in the example below, the field is user and the value is 11111111, but this could be anything like a name or description etc. What is the easiest way to select a field by name and extract its value based on the following second set of quotes?

"user" : "11111111" 
0 Karma

Deepz2612
Explorer

Hi ,

For logs such as below please help me in extracting the data enclosed within double quotes.

Contact Dealership Name="Amery",Role= "IT_Deal"
Contact Dealership Name="US",Role= "IT_Deal"
Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN"

I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""
But the results are as below :
Dealership_Name
Amery
US
but J. Nuckolls, Inc. dba Fenton Auto Sales is not included in the result.
how the rex_field has to be modified to capture that also.

0 Karma

niketn
Legend

@Deepz2612, please post a new question. Also for Sample Data and SPL please use code button (101010) on Splunk Answers so that special character does not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

MuS
Legend

Hi dernst,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html which provides an example to the same question. You simply have to use this "([^"]+)"\s:\s"([^"]+)" as your regex in transforms.conf.

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...