Hi,
Struggling yet again with another regex. The sample string looks like the following:
.........,"errorCode":"500113"}, .......
As part of a whole JSON response.
If I take that JSON and put it into regex101, I can use the following rex to correctly capture the code
"errorCode\":(.*?)},
However, I'm not sure how to turn that into a rex command to parse out the field. If I simply replace the .* with ?<> with a field name inside the brackets it errors out, and in fact I can't ever get it to not throw an error.
How do I turn an accurate regular expression(at least from my testing using online regular expression tools) into a rex command to capture a field in Splunk?
Don't replace .*
with ?<fieldName>
. You add ?<fieldName>
after your (
, like:
"errorCode\":(?<errorCode>.*?)},
Full rex (alteration to exclude double quotes from the extracted value):
| rex "\"errorCode\":\"(?<errorCode>.*?)\"},"
Probably better version, which specifies that errorCode can't contain "
:
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)\"},"
Don't replace .*
with ?<fieldName>
. You add ?<fieldName>
after your (
, like:
"errorCode\":(?<errorCode>.*?)},
Full rex (alteration to exclude double quotes from the extracted value):
| rex "\"errorCode\":\"(?<errorCode>.*?)\"},"
Probably better version, which specifies that errorCode can't contain "
:
| rex "\"errorCode\":\"(?<errorCode>[^\"]+)\"},"
Ahh, thanks for the explanation! Works perfectly. Appreciate the help!
The feeling you have when you are too late to a regex question :S