Hi Regexian Splunkers,
I have an event that looks like so:
2020-02-20 20:22:02.202020 test:>"value" test1:>"value1" test2:>"this is a \"test\"" test3:>"this is \"a test\" ok" test4:>"this is \"another\" test ok?"
I want the fields extracted to look as so:
test value
test1 value1
test2 this is a \"test\"
test3 this is \"a test\" ok"
test4 this is \"another\" test..ok?
In words.... i want a fieldname, which can have letters numbers and underscores.... followed by 😆
... followed by double quotes, the field value (which can have escaped quotes in it) which will be followed by double quotes.
My configs look like:
props.conf:
[mydumbsourcetype]
TRANSFORMS-01-Pull_Colon_Angle_Events = Pull_Colon_Angle_Events
transforms.conf:
[Pull_Colon_Angle_Events]
disabled = false
SOURCE_KEY = _raw
REGEX = ([\w\_]+)\=\"((?:[^"\\]|\\.)*)\"
FORMAT = $1::$2
My regex works on Regex101.com ( https://regex101.com/r/LUb4km/1 ).. but on Splunk i am getting no fields. Any help would be lovely.
./D
@darrenfuller you would need additional escaping in Splunk for "
and \
while defining the regular expression. Following is a test you can run in Splunk SPL to validate the REGEX:
| makeresults
| eval _raw=" 2020-02-20 20:22:02.202020 test:>\"value\" test1:>\"value1\" test2:>\"this is a \\\"test\\\"\" test3:>\"this is \\\"a test\\\" ok\" test4:>\"this is \\\"another\\\" test ok?\""
| rex "(?<field>[\w\_]+)\:\>\"(?<value>(?:[^\"\\\]|\\\.)*)\"" max_match=0
If the above works as per your expectation, you would need to use following REGEX
in transforms.conf
([\w\_]+)\:\>\"((?:[^\"\\\]|\\\.)*)\"
PS: If you pass the regex101 regular expression to Splunk SPL I have provided above, you can notice that it is unable to parse the regular expression as quote and backslash need additional escaping in Splunk.