hi i am having issue extracting fields from splunk field extraction and rex command
with msg field
it's has different values can be numbers, strings, path, punctuations, blank space like shown below.
"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :" "
now problem is, i have written rex as
\msg\":(? \". *\") \,
but it returns value which following msg field.
"msg" :"vjvuv igivc uvviv", "origin" :"abcgc", "time" :23.45677",
Hi @VI371887,
Try this regex:
...|rex "msg\"\s:\"(?<msg>[^\"]+)"
this selects msg filed, i want the value of the field to be selected, like in above example
the msg values that is.. highlighted in bold.
"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :"** **"
the above regex selects value for msg field as highlighted.
try this run anywhere search:
|makeresults|eval _raw="\"msg\" :\"35556\""|rex "msg\"\s:\"(?<message>[^\"]+)"