Splunk Search

What am I doing wrong in this regex?

hagjos43
Contributor

This works if you | rex "EXTRACT-json_data=.+\"(?<json_data>{.+})\""

But when I try to move it over to props.conf as:

[mysourcetype]
EXTRACT-json_data=.+"(?<json_data>{.+})

It doesn't work.

Any ideas on what I'm doing wrong?

Thanks!
-Joe

Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi hagjos43,
in your props.conf probably the error is that a backslash is missing before first brackets.
Anyway, try this to have all the chars between braces (without braces)

.+\"\{\"(?<json_data>[^\}]*)\"\}\"

Bye.
Giuseppe

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Probably closer to this...

[mysourcetype]
REGEX  = EXTRACT-json_data=.+"(?<json_data>{.+})"
0 Karma

kyaparla
Path Finder

you may have to escape your double quotes in props.conf

wrangler2x
Motivator

Take this basic search and replace the event field with experimental data to see what breaks your regex

| makeresults
| eval event=",\"{whatever}\""
| rex field=event ",\"{(?<jason_data>[^}]+)"
| table jason_data event
0 Karma

MuS
SplunkTrust
SplunkTrust

Can you please post some sample events?

0 Karma

hagjos43
Contributor

12bca842-2f11-494c-b016-7668beda8bfd-1633657","2017-10-09T21:32:15.164Z","access","12bca842-2f11-494c-b016-7668beda8bfd-1633650","Scheduled activeSynchroniser_systemExternalOu-Mon Oct 09 17:32:15 EDT 2017",,,,,,"CREST","ScheduledTask","{""taskName"":""scheduler-service-group.activeSync_systemExternalOu""}",,,,,,,,"SUCCESSFUL",,,"12","MILLISECONDS",

0 Karma

MuS
SplunkTrust
SplunkTrust

so this regex .+\"(?<json_data>{.+})\" matches everything in the { }

try this props.conf setting as kyaparla suggests and also move the { } out of the capturing group:

 EXTRACT-json_data=.+\"{(?<json_data>.+)}\"
0 Karma

hagjos43
Contributor

Appreciate your help so far but this still didn't work. Does it matter that this is a csv that it is ingesting? I would think field extractions didn't care what extension a file has.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...