My Log Contains
"SeqNo":4433221,"T_CODE":"ABC","VALUE":983123456,"VALUE2":"0000000000",
I am in need of VALUE field which will display 983123456 as an output tried with this query
|rex VALUE="(?[^\d*])" |table VALUE
please help
Like this:
| makeresults
| eval _raw= "\"SeqNo\":4433221,\"T_CODE\":\"ABC\",\"VALUE\":983123456,\"VALUE2\":\"0000000000\","
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."
| rex max_match=0 "(?<KEY_1>[^:\"]+)\"?:\"?(?<VAL_1>[^:\"]+)\"?,"
| eval _raw = mvzip(KEY_1, VAL_1, "=")
| kv
I named them this way for a reason; search for _KEY_1
on this page:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
Hi
Check this
| makeresults
| eval temp= "\"SeqNo\":4433221,\"T_CODE\":\"ABC\",\"VALUE\":983123456,\"VALUE2\":\"0000000000\", "
|rex field=temp "VALUE\"\:(?P<value>\d+)"