Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to match value in events using Rex

james_n
Path Finder
‎04-12-2020 09:47 AM

Hi experts,

please help me with regular expression to match the value in each event at search time as shown below

:{\"buaid\":{\"business\":[\"12345\"],\"exclude*

required output: bss_value=12345

thanks in advance.

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-12-2020 01:38 PM 
|rex "(?<bss_value>\d{5})"

This is enough.

0 Karma
Reply

jpolvino
Builder
‎04-12-2020 12:09 PM

This might get you close, with a run anywhere example:

| makeresults | eval _raw=":{\\\"buaid\\\":{\\\"business\\\":[\\\"12345\\\"],\\\"exclude*"
| rex ":{\\\\\"buaid\\\\\":{\\\\\"business\\\\\":\[\\\\\"(?<bss_value>[^\\\]+)\\\\\"\],"

It sets up a _raw field, and then extracts from it. The last line should do it for you.

Reply

james_n
Path Finder
‎05-14-2020 09:24 PM

Hi @jpolvino , thanks for the answer. its working fine. but if i have multiple values with , separated than its not working .Please help on this.

Ex: :{\"buaid\":{\"business\":[\"12345\",\"6789\"]

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-12-2020 12:01 PM

Try 

business\\":\[\\"(?<bss_value>[^\\]+)\\
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...