Hi,
Can someone able to help me please.
I'm very new to using Splunk and most certainly to the rex command and regular expressions, so please bear with.
I'm trying to extract an accountId field from my raw data which is in the following format { "accountId":"C12345678" }
Could someone possibly tell me please how I may strip the actual accountId number out of this line.
Many thanks and kind regards
Tanvi
Is your raw data in JSON format (hard to tell from the snippet). If it is, Splunk will do the field extraction for you.
No, it's apache log
Try this.
... | rex "accountId\":\"(?<accountId>[\w]+)" | ...
I would have done it slightly differently (in case there were non-\w
characters in the accountId):
... | rex "accountId\":\"(?<accountId>[^\"]+)" | ...
Thanks. I will try this.